October 14, 2025

Or, watch on YouTube

During this webinar experts Jane van Tienen (OSINT Combine) and Erin Brown (DarkOwl) explore the evolving role of artificial intelligence in investigations and how it is transforming investigative workflows, the ethical challenges it presents, and how threat actors are exploiting AI for phishing, deepfakes, fraud, and propaganda. Learn why keeping the human in the loop is essential and how to build resilient, AI-aware intelligence practices.

NOTE: Some content has been edited for length and clarity.

---

Kathy: And now I’d like to turn it over to Jane, Chief Intelligence Officer with OSINT Combine, and Erin Brown, the Director of Intelligence and Collections with DarkOwl, to introduce themselves and start our discussion.

Erin: Thanks, Kathy. So yeah, we’re going to jump right in because as Kathy mentioned, we’ve got a lot of content to go over, but we’re just going to start with a brief introduction to who DarkOwl are, and OSINT Combine.

I’m just going to give the brief background on DarkOwl. As Kathy mentioned, my name’s Erin, I’m the Director of Collections and Intelligence at DarkOwl, so responsible for the data that we collect and also the investigations that we conduct. DarkOwl has been around since early, well, Vision since 2014, I think we’ve been around since 2012, and we primarily collect data from the dark web, from forums, from marketplaces, from Telegram, from Discord, and other sources where we’re seeing kind of what threat actors are talking about, what they’re selling, and some of the trends out there and making that data available to our customers. And if anyone has any further questions on DarkOwl, I’m sure Kathy can share some more information, but with that, I’m going to hand over to Jane. 

Jane: Thanks very much, Erin, and thanks, Kathy, as well. I’m really pleased to join you here on the webinar today, so thank you for inviting me to come along. So, good afternoon, everyone. My name’s Jane van Tienen, and I’m the Chief Intelligence Officer for a company called OSINT Combine. I’ve spent a career in intelligence, predominantly national security and international intelligence diplomacy, before more recently moving into open-source intelligence.

I’m assuming that most people on the call would probably know what open-source intelligence or OSINT is, but just to ground truth it, it’s intelligence derived from publicly available or commercially available information, rather than classified sources.

Today, Erin and I are going to be talking all about artificial intelligence, of course, but not just because of the way it enhances our capabilities of investigators and intelligence professionals, but also because of the capabilities of the bad guys that we investigate. But before we delve into that interesting topic, just a little bit more to touch on this slide here about OSINT Combine. We are a proud partner of DarkOwl. OSINT Combine is a global company, we’re US-owned, but Aussie-founded so, Australian-founded and veteran-operated. And we’re all about helping build enduring OSINT capability, which we do through our AI-enabled OSINT collection platform that’s called Nexus Explorer, our foundational and advanced open-source intelligence training, as well as thought leadership.

And so, our focus on building enduring OSINT capability means that our company is more than just about giving people great tooling, although, of course, great tooling is important, but we feel really passionately about making sure that people are able to use the tools, understand the tradecraft to operate effectively, safely, and ethically in their work. We work with clients similar to DarkOwl, actually, ranging from national security agencies through to global banks. And that means that we’re seeing OSINT practices, as well as increasing AI adoption up close in different kinds of workplaces.

And we’re sort of getting insights, therefore, into what’s working, what’s kind of breaking or tricky, and where practitioners and leaders are struggling in relation to these issues.

Before we get into the actual thick of the webinar today, I wondered if there might be an opportunity for us to do just a quick poll in the chat there, just to give us a sense about how many of you are already using AI in some form as a part of your workflow. I was going to see if I can have a peep in the chat while we do that. If there’s anyone there already using AI as a part of the workflow. And let’s go on to the next slide while people might consider that there, Erin. Thank you.

So, my point in asking that is really to observe that for many of us, AI isn’t really a future concept anymore, is it? It’s already embedded into a lot of our investigation’s workflows, whether we’re working law enforcement or intelligence investigations or even corporate due diligence. And really, it’s the necessity that’s driving that adoption. Every day, practitioners are using AI really to expand the human capacity for things, for all sorts of things, actually, like language translation, rapid entity resolution, network mapping, pattern recognition, even brainstorming alternative scenarios, which I really enjoy using AI for these days, as well as summarizing vast volumes of content and doing all of that within minutes.

In that context, particularly at, say, a government level here in the US, but also across allied governments, so think Five Eyes, as well as NATO member states, we’ve already seen some pretty strident language and strategic choices about how AI should be embedded into intelligence workflows. And that’s probably most prominent when we’re thinking about open-source intelligence workflows. A great example is here in the US in defense strategy, where we’ve heard, OSINT being referred to as the INT of first resort.

And of course, we know that when it comes to private industry, OSINT really is the INT of only resort. And so, I think that’s important to observe, because oftentimes, you know, the increased utilization of OSINT also means hand in glove, the increased utilization and exploration of AI and AI augmented workflows. So, the point being that regardless of sector regional budget, really, our debate now has moved far beyond should we use AI to more about how do we use it wisely?

So, for investigations and intelligence work, we’ve always needed to ask critical questions, haven’t we? And those critical questions and those fundamental skills of tradecraft really haven’t gone away. But in an AI augmented workflow, regardless of purpose, the scope of those questions has absolutely expanded. And so, in understanding how to use AI to greatest effect, analysts and investigators must now not just interrogate the content or the information that they derive, but also the machines that help produce it.

And so, these areas on the slide, Brainstorming Partner, Research Support, Analytical Partner, Writing and Communication support, these are areas where OSINT combined through our work, we’re most commonly seeing AI being utilized as a part of OSINT workflows in various workplaces today. And indeed, the role of AI will continue to expand as technology evolves, no doubt.

I think the key issue is, though, that when deciding when to use AI in your work, the consideration really is about, you know, the accountability in decision making, and who owns the accountability in the decision making, because that is you, because it is always a human issue. It’s not to be, you know, for the machine. So, it doesn’t really matter at the end of the day how advanced our tools become. We cannot, in fact, must not remove the human from the investigative workflow. And so that’s what we mean when we say the phrase, keep the human in the loop, which we’ll be speaking to a little bit further in the presentation.

We have to remember that, as good as AI might be in any given moment, there are always going to be things that it cannot or should not do. And sometimes those boundaries are determined by governance frameworks that might exist in your organization or even your community of interest. We know that investigations and intelligence work, it lives and dies by its credibility. And so, no matter how the advanced tools we use, how great they are, our assessments are only really going to be value if they’re trusted by those who rely on them. And so, the challenge is really one where rather AI can overwhelm with lots of different plausible outputs that can actually bypass some of the analytical tradecraft or critical thinking that we might apply otherwise. And so, when we receive an AI output response, the trouble is that it can look right, but it doesn’t always mean that it is. And so, within OSINT combined, we’ve been investing a lot of thought, time and effort into how to most soundly incorporate AI into OSINT workflows, understanding what it can and cannot do, and know when to trust AI and when to challenge it. And it’s important that you do so as a part of your own investigative and intelligence products and to maintain your operational security online. And I’ve got an example of one of those resources that is freely available to download there on the slide, more to come on that.

If we look at the pros and cons of AI as it stands at the moment, I think these are fairly accepted in our industry and our collective work. And so there should be no surprises there, and I’m not going to go through every one of them. Some of these we will absolutely be showcasing in various means throughout the webinar.

But to pull the thread on one of these things in the Cons column there, which is a bit of a passion project of mine, if you like, and it pertains to role clarity, which is something that we don’t talk about as often as I think we should in this regard. And so, what I mean by that is that analysts, team leaders, decision makers, even boards, you know, each role in the decision-making chain or in the chain of command, if you like, really interacts with AI differently. Using AI to best effect isn’t really about only a practitioner level AI literacy or fluency, but it’s about the capacity of others as well as the organization and organizational system to understand it.

I think one of the most dangerous assumptions that we see in investigative work is this issue of mirror imaging, which is both believing that adversaries think and act like we do, as well as the fact that they don’t have the access to the same technology as we do. Unfortunately, not only do they have access to technology, the same as we do, but they also have a willingness to operate outside our own ethical and moral compass.

This is something not to be underestimated when we need to consider AI. The same generative models that we use to draft reports to identify patterns or detect anomalies are going to be used by criminal and extremist actors to fabricate personas or automate deception and manipulate narratives at scale. I think the real trouble is that AI makes generating some of these artifacts pretty trivial in some cases. And so, our tradecraft is really evolving beyond how do I find that needle in the haystack or how do I find the truth to now also include how do I recognize what’s been machine shaped to look like the truth. And that’s a really hard nut to crack. 

Erin, I wonder if we might hear from you now about some of the examples that you and your team are seeing sort of in the wilds out there, just to illustrate some of these points.

Erin: Yeah, thanks very much, Jane. As Jane has mentioned, we hopefully are all using AI as part of our workflows and investigations. But you know, the criminals, the terrorists, extremists are definitely using AI as well.

I’m going to run through kind of a couple of examples that we’re seeing of those using that technology.

But I think one of the key things that I want to start with is so far, at least I think in what we’re seeing of threat actors using AI, is they’re using it in the same way that we all are too, in that they’re using it to increase productivity, improve the output of what they’re working on. But it still requires that human intervention, right? And they still need to do things as a threat actor and have some experience.

You know, even if we’re talking about them using, vibe coding to create malware, they need to have a basic understanding of coding and how they do that to be able to do that effectively. So at least thus far, we’re just seeing them using it to enhance the types of attacks and operations that they were already doing. With I guess the one caveat to that being, deep fakes and the way that they’re developing and how good generative AI is at producing images and speech now is definitely becoming more and more of a problem.

But let’s dive into some examples of how exactly they are using AI. And I stole this from a Trend Micro report, but I think it nicely maps out kind of the different attack vectors and vulnerabilities that criminals are going after in terms of deep fakes but also using their own LLMs. And we’ll talk about that in a little bit more detail.

And we’ll go through some of these examples in more detail too. But, you know, things like business email compromise and creating more sophisticated and believable phishing emails is something that we’ve seen go on the rise, but also, you know, business compromise in terms of spoofing CEOs or executives through their voice, through their images, through Zoom calls, things like that is definitely on the rise. We’re also seeing, you know, more targeting of foreign victims. I think, gone are the days of the Nigerian prince with language that you don’t really understand, and you can tell quite quickly that it’s fraudulent just because of the fact that a native English speaker hasn’t written it. That’s not really happening anymore because they’re using AI to translate their messages and to create those images for them. We’re also seeing an increase in things like romance scams, sextortion, CSAM, unfortunately, and virtual kidnappings and things like this. So, using AI and what we would maybe traditionally think as the cyber realm for more real-world effects. And some of those are having really awful consequences on a lot of people. And so, something that we all need to be kind of aware of and how to deal with.

I mentioned there are criminal versions of LLMs. These are based usually on the, you know, open source or other LLMs that we’re using out there, things like ChatGPT that have been made freely available. But they’re basically getting rid of the guardrails that these companies have put in place around this AI to try and combat the technology being used for nefarious purposes.

WormGPT is one of the models that came out fairly early. I think it’s been around for a year or two now. And this is taken from a darknet web page where they’re advertising it. And one of the interesting things and one of the reasons I wanted to raise this is you’ll see that they’re advertising it very much in the same way that, you know, OpenAI or PerplexC or those other, you know, ethical companies, I hope, are kind of putting this out there. So, they’re telling you it’s a game-changer, you know, what it does, how it can help you.

It has pricing plans. You can get different plans depending on your expertise and kind of what information you want to use it for. And then you can see that they’ve got it on the command line as well. So, they’re able to see it. They call it the biggest enemy of well-known ChatGPT. And it allows you to kind of do all of those malicious things without the guardrails that you will get in those more legitimate services. So WormGPT is one.

Another one is FraudGPT. And this kind of does what it says on the tin. It’s really helping threat actors to conduct fraud. And it’s, you can see at the bottom, it’s not just the LLM. They’ve also got testing, cracking, access tools. So, they’re trying to build a whole ecosystem around offering this, to be honest, as a criminal enterprise.

And again, you can see that they’re advertising it on their site. This is another dark website where they’re talking about the different ways that you can use it. So, you can create phishing pages. You can create hacking tools. You can write scam pages. You can find leaks. And some of these things in here are things that we as investigators might want to do, you know, finding leaks or finding, you know, vulnerabilities from a red team perspective. And AI can help you do that. But I think the thing to think of, and to Jane’s point about, you know, is that threat actors have access to this technology too. And they are using versions of these tools in some cases that make it easier to find some of those things than maybe we have as investigators.

And again, this is just the FraudGPT pricing. So, you can see they have a breakdown of a lot of different tools and accesses that you can get.

They really are selling this as a service, as a way to give other threat actors that maybe aren’t up to tax. 

And this was also taken from the FraudGPT site. You can see this is a kind of a chatbot telling them kind of how to put the prompts in to be able to get some of this information back. So, the top one is, “write me a short but professional SMS spam text I can send to victims who bank with Bank of America, convincing them to click on my malicious short link”. This really feeds into that kind of phishing kind of attacks, where this is one area where we’re seeing AI really kind of increase the sophistication, for want of a better word, of those types of attacks, just in terms of it’s making it a lot harder for victims to identify when they’re receiving these malicious emails, or SMS messages, based on the way that they are written. And you can see it’s fairly simple for them to kind of put in these prompts and get that kind of information back that’s going to assist them with that.

And these are just some shots of kind of threat actors actually talking about this technology on various forums that we collect on the dark web. So, you can see there’s threads talking, you know, about FraudGPT and what it can do for you and how it can help you. We can see things on Russian hacking forums as well, and that’s been used. So, they’re talking about useful AI, which ones are the best. So, we’re seeing them talking about different methodologies and how they can use this as part of their workflows as criminals. And then you can see them talking as well about kind of the different services that are out there. So, the bottom one’s very hard to see, but they’re talking about Grok. It’s not just ChatGPT, they’re talking about a lot of the other kind of AI services that are out there as well. This is just to show that, you know, the same way we’re, you know, having this webinar and talking about uses of AI and how AI can help us in our workflows and our investigations, the threat actors are talking about that too. And we are seeing that kind of pop up on forums.

We have also seen AI being used as part of attacks. I’m not going to delve into this hugely because it’s not really kind of on the dark web side of things, but this is just kind of an article highlighting how Grok AI was used to bypass app protections and spread malware to millions. We are seeing more and more of this. We are seeing, you know, ransomware strains being developed using AI or having kind of some AI implementation as part of them. And I think this is something that we expect to rise as, you know, the technology becomes more widely used and I assume continues to increase in sophistication. We are going to see a lot more of these types of attacks and it is going to become an attack vector in cyber as we kind of move on with that. I just kind of wanted to mention that as a side.

I’m going to dive in now into some specific examples of how this is being used. Starting off with criminals, I’ve kind of already touched on this, but we’re seeing it very much in phishing, social engineering attacks, romance scams, and also for defeating KYC to get into kind of financial fraud.

We’ll go through those in a little bit more detail. This is an example of an advertisement on Telegram. This is a service where they are offering an AI face builder. It will create a unique face and then you can use that for whatever you need. So, this is being used, we’ve seen this being used for defeating KYC.

You can see you’re swapping faces on photos and videos so that you can look like you’ve got your ID card. For those organizations where they ask you to take a picture of yourself with your ID, this is kind of helping them to kind of combat those checks and balances that are put in place. But we’re also seeing these kind of face builders and generators being used in sextortion as well, and I’ll kind of touch on that in a bit. But you can see kind of how this is part of the business that they’re offering. You can get a tutorial; they give you kind of free services to start off with to test it. You can do bulk processing and purchasing credits. So, it is kind of interesting how they’re using this going forward.

This is another discussion on a dark web forum talking about fraud GPT, but I highlighted it here because it’s saying this is what it’s going to help you do. It’s going to help you write phishing emails, develop malware, forge credit cards. These are the types of activities and crimes that are being posted as AI will be able to help you to conduct these types of crimes.

This is also another news article that I came across in terms of them using deep fakes to spoof a celebrity. The individual that was spoofed is an actor in a US soap opera.

His videos were generated and being sent to a woman based in California, and he was able to scam several thousand dollars out of that individual by asking for money and kind of creating a relationship with this victim by pretending to be this famous soap actor.

This one I don’t think did have a romance angle, but this is very much how romance scams can be operating with the use of AI as well in terms of them generating fake videos of fake individuals or pretending to be a celebrity, impersonating their voice, but obviously getting them to say things that they would never say and targeting individuals to get them to send them money, usually via cryptocurrency. And there has been a huge increase in this, and a lot of celebrities are being targeted in terms of their likenesses being used via social media to target victim to get that financial fraud out of it. And I don’t actually have the video to play here. This is a screenshot. But if you see any of these videos and to Jane’s point about like how do you identify this information, they’re very realistic. It’s very difficult for people to identify that this might not be real, especially I think for some of those victims that might be more vulnerable and not as savvy to be open to this technology, but also these kinds of attacks. 

These are some more advertisements from Telegram, but this is more related to social engineering services that they’re providing. So Purple on the right, you can see that they’re doing call protection, but they’re generating ultra realistic voices via AI. They’re offering different tones, male, female, neutral. And they’re using these voices to spam people basically to have these calls to try and get people to hand over their money. They’re providing this as a service to people so they can use these different voices to scam unsuspecting individuals. So, you know, it isn’t, I think when we think of phishing, we tend to think of emails or maybe SMS messages, but I think more and more phone or video messages are going to become more of an issue with the advent of AI.

On the left-hand side as well, this is kind of more of the business email compromise where they’re kind of talking about all the different ways that they can make sure that an email campaign would be successful, including AI powered optimization. And I think to go back to, you know, it’s the same way, you know, that we’re using this in our everyday life, the criminals are using it. I mean, you could have an SEO marketing company that’s kind of saying the same thing to businesses that want to kind of advertise their services. But from the threat actor side, if you put the different slant on it, they are using AI and customizing email addresses to make sure that you can spam people more successfully and conduct those financial crimes. It’s interesting how it’s being used in a similar way, but, you know, with a lot more malicious intent than the rest of us would be using it.

Moving onto sex related crimes, I think this is a really important one and one that people don’t always necessarily think of or sometimes think that there isn’t a victim if it’s AI generated, but that’s definitely not the case. I think the main areas where we are seeing AI being used is child sexual abuse material, CSAM, and generation images relating to that, Human Trafficking and Sextortion and Romance Scams.

To highlight the AI generated child sexual abuse material, you know, Europol have made arrests quite recently related to this and put out information about it.

But a lot of people are using AI to generate fairly real looking videos depicting CSAM. And there are still victims in this because the individuals that are watching this material may go on to also target children in the real world, but also, they need to train these models and create these images based on something. And so, there are children that are still being victimized by this kind of activity, and it is making it more prevalent.

It’s something that I think is really important that we are able to stop. And it is becoming, you know, more and more sophisticated. And I think this quote from the IWF, Internet Watch Foundation, is probably a little bit out of time now, but saying that, it has progressed at such an accelerated rate that they’re very realistic examples of videos depicting this. And I think we are seeing those very realistic videos and images being distributed across the dark web and other sources at this time. It’s definitely something that obviously we need to stop.

Human trafficking, I think people might not necessarily equate AI with human trafficking and see exactly how it’s working. This map actually just shows human trafficking victims across the world. It isn’t specific to AI, but I think I wanted to highlight kind of how much of an issue human trafficking still is. This is from Interpol.

But also, in terms of how we’re seeing AI, it’s being used to generate fake job advertisements. So, kind of as part of that initial phase of the human trafficking of enticing victims in and generating material that’s going to make them think there’s a believable job or there’s kind of a believable activity that they want to be involved in and kind of suckering them into that whole industry. It’s also being used to bribe people in terms of generating false sexually explicit images for victims of human trafficking and using that to really kind of enforce the activity that’s going on.

And that brings us in the same vein to sextortion. In a lot of cases, AI is being used to generate images of individuals and then extort money from them. So basically, creating nudes or sexually explicit images of individuals, it’s not them, it’s AI generated, their face has been put on it, but threatening to share those images and say that they are real with their friends, with their family, with their colleagues. It’s really prevalent against young people using social media vectors, so things like Snapchat, Instagram, things where images are shared quite a lot but it is targeting people of all ages and it is targeting both females and males and it’s really you know an awful kind of practice there have been noted suicides of people that have been targeted by these types of sex distortion attacks. So again, it’s going back to how can people identify that these images aren’t real you know the victims feel that they look so real even though that they know that they’re not because they haven’t shared that material with them, that they’re so worried about this, that they are paying these people. And there are, unfortunately, fairly well-organized criminal groups that are kind of doing this on a rotation basis, trying to kind of build up these relationships with these individuals generating these images and getting this money from them. It is becoming a real huge issue, as I said, particularly among the younger generation.

We’re also seeing AI being used by terrorist organization and extremist groups. It’s primarily being used, I would say, for Propaganda, but also Disinformation as part of those propaganda campaigns and campaigns and putting a lot of that information out there. We’re also seeing them using it for Translation a lot to make sure that they can reach individuals in multiple countries to bring them into their extremist beliefs and also generating images, again, with propaganda and disinformation in mind. But some examples of that, this is taken from an ISIS chat group. You can kind of blurred out in the back of the ISIS flag, but it’s an AI-generated image on an article about building bombs. So, part of their propaganda, part of their education of individuals, they’re using AI to make this look kind of more believable and kind of draw in individuals. So that’s kind of one aspect we’ve seen.

This is another one that kind of looks you know, if you don’t know what to look for, but it’s Iranian terrorists claiming that they crashed a plane into Disney World in Anaheim. You can see the Disney castle in the background and the crash plane. I would argue the plane isn’t that realistic because planes don’t tend to crash backwards. But it’s highlighting that propaganda. It’s well kind of incentivizing people to go after these kind of targets. They’re putting ideas and people’s minds using AI of ways in which you could, you know, go about conducting attacks. And that’s something we need to be very mindful of.

This is a video that was put out with Hamas. So, Hamas talking, again, this was not a real video, but it looked like a news conference of Hamas leadership talking about the Israeli army and how they wear diapers because they’re stationed for so long and that led to generated images of you know Israeli forces wearing diapers which in some cases look quite authentic.

I mean I think most people would see this as a joke but obviously there you know there can be more concerning ways in which people about providing these kind of generated images. But to the point where they even had a TikTok video that was going around that went viral where an Israeli commander was talking about the nappy. So again, they were impersonating him and getting him to speak as if it was him to kind of try and back up the story that was put out there. And this is obviously all put out there to undermine Israeli from Hamas terrorist group. So, you know, it’s that disinformation. This one, obviously, I think most people would not believe, but they are putting things out there that are much more believable and it’s making it very difficult for people to understand what is real, especially in these times of kind of conflict.

And with that, I’m going to stop talking and hand it back to Jane.

Jane: Thanks, Erin. What you’ve demonstrated there in that kind of collection of examples is just the fact that, you know, AI, unfortunately, can increase the sophistication of a lot of bad actors really quickly. And so that can make our jobs, of course, really challenging.

So, we won’t necessarily do the poll now in the interests of time, but I’ll still talk through it because I think it’s interesting in the fact that, you know, when you reflect on these kinds of questions yourself, thinking about your own environment, whether, you know, your biggest challenges relate to some of the synthetic media that Erin sort of spoke about or perhaps it’s the scale of all of the things that you’re challenged with and in some cases even organizational readiness and maturity can pop up to being a big challenge for some practitioners and workplaces. But I think what is really interesting just to kind of emphasize your point there, Erin, is that this question really is one where the risks are kind of symmetrical in the sense that the same capability that helps us as practitioners, investigators, analysts, whatever in terms of automation and language generation, pattern recognition, it’s exactly what the threat actors are going to be using against us. And so, there’s an absolute need that we ensure that we have high levels of literacy when we’re kind of engaging in our work today. Because, AI itself, it’s not inherently malicious or benevolent, really. It’s what determines that is the outcome of its use and how well we govern it and verify and all of those kinds of things.

I think a lot of these are making things extremely difficult for practitioners and we can see a world where sometimes we might not we might simply not be able to verify whether something is true or not and that’s sort of the future that we’re looking at but at the moment we’re not quite there and so there are certainly some techniques that we kind of encourage you to consider Let’s have a look at the next slide, Erin.

I think one of the key things when at least OSINT combined when we’re talking about this challenge is that, you know, we really are talking about the analyst requiring stronger discernment, which references the fact that we acknowledge that AI gives velocity and capability in a way that perhaps, threat productors didn’t before have. But also, analysts must maintain this skill for validation and be the purveyors of veracity in as much as possible.

We think the most effective lens to kind of look at this is a multi-kind of modality kind of approach, if you like, that blends both traditional verification and analytical tradecraft with AI aware cues. And so, we acknowledge that this can be a difficult task, of course. Certainly, in some of those disinformation examples, Erin, that you provided, where analysts are going to be requiring to perform validation and verification, as well as potentially some really detailed content and metadata analysis. So, you’re adding on to your traditional analytical tradecraft tool sets around critical thinking and some of your analytical practices, you’re adding onto that some quite technical skills when it comes to sort of unpicking content and metadata analysis. But we think that it’s doable at this stage if you break it down. And so, we favor kind of practical steps and some guides for that process such as inauthentic content analysis maps which we’ve written blogs about that you can check it out on our website. And so, I’ve put some key examples there around anatomical artifacts and reverse retrieval and those kinds of things which of course are always going to be helpful. Providence Chain also super interesting for us when we’re kind of considering whether how something has proliferated online and where it was created and so forth.

But for me, I can’t get my head out of this space of the meta questions, and I think that’s got to do with largely my traditional intelligence training. And so, the questions that I always come back to in addition to some of these AI-aware cues are things like, “What would I expect to see if this were true?” And so that has me going to actually, look at some of the context, which is still super important to us. And the other question I like to ask when I’m considering the adversary is, “Well, what would my adversary need AI to achieve here – Would it be scale, speed or story?” And that really speaks to intent capability and, you know, the motivation factor, of course, which we always need they always need to maintain an eye on. But having the AI helping us out, as well as applying some of that human validation and verification activity is a real emphasis, I think, to ensure that the human remains in the loop. Really, we want our analysts to think critically, act ethically, and adapt intelligently alongside the machine that they’re working with.

There’s some available resources, all available to you, to download from the OSINT Combined website, and there are certainly more available. Let’s look at some key takeaways.

I think what we’ve been able to demonstrate today as a base of sort of numerous examples across different kinds of crime types and actor groups that absolutely adversaries have access to AI and they’re not afraid to use it. And they’re certainly, experimenting with it just as we are at the moment too. Human in the loop remains essential. We’ve discussed that. And there’s an importance there for layered verification. So not just trust in one modality over the other, but kind of really thinking quite deeply about, well, what are the different kinds of ways that I can speak to reliability, relevance, credibility, and consistency when I’m looking to verify information. And as a bonus tip, always thinking about, hey, some of these deep fakes, particularly the voice synthetic media that you identified, Erin, are becoming pretty sophisticated. And so, there is an element here to prepare for the inevitable in terms of preparing your organization to harden against impersonation and to prepare a playbook if you like about what happens if. And so, I think we can’t really avoid that.

I can see we’re at time. Kathy, I wonder if we pass to you and more than happy to take questions offline and respond to people if there are any, but over to you for final words.

Kathy: Sure, we do have a couple of questions that have come in. If you two want to go ahead and address them now, we can address the two that have come in and if any others come in, we can address those offline later if that would work.

Jane: Yes, I think that’s fine for us. I can see Erin nodding. So please, please fire away. And of course, if people need to drop off, they can, and they’ll received the recording.

Kathy: Sure. So, the first question is, how do you brief leadership when you suspect synthetic media but can’t prove it?

Jane: Yeah, we get asked that one quite a bit, Kathy and Erin, you might have thoughts on this too, but I think I still go back to this factor about you need to sort of explain confidence, not just certainty, to the leadership group and so that means about being really transparent about what you do know and what you suspect and what’s unverified and being open to being contested about that too. So, you know you have to sort of be professionally honest here. So, we want people to sort of show you know their reasoning how they came to a particular conclusion, could be you know to identify the anomalies and maybe even network behavior or some kind of thing that was flagged during the analysis. But I think it’s also really useful for leadership to sort of say, hey, if this is genuine, then here’s the impact, because that’s essentially what the leaders need to know is the impact so that they can act accordingly. And then vice versa, well, if it’s fabricated, here’s what, you know, we know that the adversary is trying to achieve against us. And so, both of those things are actually really important, I think, for all leaders to know about.

Erin: Yeah, I just add to that. I think I agree with what you’re saying, Jane, but I think just transparency, I think, you know, outside of AI, when we’re talking about intelligence and the things that we find, just because something is low confidence, or, you know, we haven’t been able to verify it with a lot of other sources, doesn’t mean it’s not something that should be shared and should be part of the intelligence package. So, I think it’s just making sure that we’re using those traditional kind of ways of how we do assessment and not doing anything different just because it’s AI.

Kathy: Great, thank you both. And kind of piggybacking on that a little bit. What’s your protocol for documenting AI’s role in your findings?

Jane: Yeah, I mean, I think it’s really important, Erin, and you were just sort of touching on it then, weren’t you? Like, just because we have AI now in the mix doesn’t mean that we’re going to be throwing the baby out with the bathwater when it comes to analytical and assessment tradecraft. All of that still applies, but we need to be professionally honest and transparent about when and how AI is being utilized throughout the process. And so actually, you know, in the US, there’s some strong guidance around this point for the US intelligence community, but OSINT Combine has actually, produced a best practice guide for citing AI to just for anyone. So, don’t have to be intelligence community, could be private sector, but really it’s about accountability through transparency is essentially it. And so, you want to be pretty transparent about how AI was utilized as a part of your assessment, what tasks it supported, where the output was validated, and where the human analyst made the final judgement. So typically, I see almost like a short provenance note or some kind of disclaimer in the methods section of analytical reporting now, that’s not uncommon. But we really need to be transparent to your point, Erin, earlier.

Kathy: Great. Thank you. That is all the questions that have come in to us right now, but we do have up on the screen contact information for both Jane and Erin, if anybody has further questions, or they’d like to reach out to us.

And I’d like to thank Jane and Aaron for an insightful discussion today. As a reminder to all of the attendees, we will be following up via email with a link to the recording and other resources. And we thank you all for joining us for this webinar and we hope to see you all again at another webinar in the future. Thank you.

Jane: Thank you.

---

Have questions? Contact us.

October 07, 2025

Or, watch on YouTube

This fireside chat, “New Regulations and What They Mean for Your Supply Chain,” features legal expert Rich Hanstock and DarkOwl’s Lindsay Whyte as they unpack the evolving cybersecurity regulatory landscape across the UK and EU. The discussion explores the shift toward mandatory, continuous, and ecosystem-based compliance, highlighting key regulations such as the EU Cyber Resilience Act, NIS2 Directive, and the UK’s Cyber Security and Resilience Bill. With increasing supply chain complexity and heightened accountability, the speakers examine how organizations can proactively manage risk, leverage threat intelligence, and prepare for upcoming compliance deadlines—all while navigating the broader implications for cybersecurity professionals and industry resilience.

NOTE: Some content has been edited for length and clarity.

---

Kathy: And now I’d like to turn it over to Lindsay, a Regional Director for DarkOwl and Rich Handstock, Barrister and founder of pwn.legal to introduce themselves and start our discussion.

Lindsay: Thanks very much, Kathy. The aim of today’s session is to shed some light on the regulatory landscape as it relates to cybersecurity practices in the UK and Europe. And obviously from DarkOwl’s perspective, we’re always keen to share how our technology and ever-evolving collection approach meets these regulations. But today, it’s important to spend a bit of time setting the scene, I think, and stepping back a little, because there’s a few things at play here which affect many more professionals than just those involved in DarkInt collection and threat intelligence.

So perhaps, Rich, I can start by asking you as a specialist, legal professional in the world of cybersecurity and data privacy. What is the regulatory landscape right now with regards to cyber resilience?

Rich: Thanks, Lindsay. I think it’s quite an exciting time to be talking about this. Jurisdictions around the world, it seems to me, are converging around this idea of the challenges and risks of cybersecurity being shared, rather than seeing responsibility concentrated in states or in a few larger kind of critical infrastructure type organizations. Take CrowdStrike, for example, events like that surface into the popular imagination, the kind of sheer extent of hidden dependency on technology, many of which are not readily understood by or foreseeable to the average person and the systems we’re seeing vulnerabilities in ways that are not necessarily well understood either. But what is understood is that when it goes wrong, even for one company, even if that company isn’t currently a household name, that incident can have ramifications for a vast number of people outside that one organization. And so, if that keeps happening, and I think we have to assume that it will, that has the potential to erode the sense of security that many of us at least are fortunate to depend upon. Some of us maybe take for granted. And when that happens at scale, it can become a national security issue. But the challenge is just so huge. And fundamentally, I think governments are realizing that the cybersecurity challenge is too big, too great, too rapidly evolving for states alone to solve.

So, for the last few years in the kind of cyber policy space there’s been a discussion around what’s been termed a ‘whole-of-society’ approach to cyber security and this idea that partnerships not just between states and those key kind of private sector organizations that are deeply embedded in kind of infrastructure of the internet and so on, but critically between cooperation within the private sector, between and across markets and sectors and jurisdictions, with the focus really being now on assuring business continuity, data security and integrity, so as to project confidence to end users and to other businesses that everyone’s working together to help to keep the lights on globally.

So, to answer your question, I think it’s the recognition in policy of a need for that whole of society, everyone working together in partnership approach to cybersecurity that is driving this kind of shift in the regulations towards focus on the supply chain, ensuring private sector organizations of all shapes and sizes are taking the threat seriously, not just to their own backyard, but looking outward to their dependencies in their supply chain as well. There’s a sense, I think, that regulators need to have the power to ensure that more organizations are thinking about business continuity and security with ever broader responsibilities and so on. But it’s all about enhancing our collective security.

Lindsay: Yes, I see what you mean. And what are you saying then is the sort of general direction of travel on that basis then?

Rich: Again, it’s broadly the same idea, right? More accountability for cybersecurity throughout what are life cycles and throughout the supply chain. Whilst there is alignment around that central idea, national implementation is creating complexity for multinationals. And I think that there are effectively three kinds of big handful, big three, three big key shifts that I want to talk about.

First of all, we’ve got the shift from voluntary standards to kind of mandatory standards, at least for those who are in scope. Historically, cybersecurity standards have been kind of largely self-regulated. You can get ISO certified, adopt various frameworks, get your cyber essentials and so on. All of its really good practice. Sometimes you see those kinds of certifications as being conditional upon kind of eligibility for a contract. It’s kind of a compliance requirement. But fundamentally, they’re voluntary. And what we’re seeing now is regulators kind of saying, well, if you’re in scope of our regulatory powers, that’s not going to be enough. You need to have these as kind of a minimum baseline. And that’s why we’re seeing kind of legal duties of care being put on kind of manufacturers and operators, as well as just the critical infrastructure providers. That’s shift one, voluntary to mandatory.

The second shift is a move from point in time security and assurance, to more continuous monitoring and assurance, which is kind of linked to the first point. It’s not performative, or supposedly, it’s not just performative. You need to be taking this kind of focus on effectiveness and outcomes rather than just ticking boxes. So, for example, under the CRA, the EU’s Cyber Resilience Act, you don’t just certify a product is secure when you launch it, you’ve got ongoing obligations throughout its life cycle. So, if three years after release of vulnerability emerges, and it’s being exported, and you become aware of that, you’ve got specific notification timelines that are pretty sporty, actually, to the relevant authorities. And that fundamentally changes what compliance looks and feels like inside an organization. It’s not just okay, we’ve got a stiff cut on the wall, big tick. It’s a continuous operational responsibility. That means that you have to understand the threat environment as it evolves. So, voluntary to mandatory, point in time to continuous.

Thirdly, from perimeter thinking to more ecosystem thinking. It’s this idea that traditionally compliance is focused on your backyard, within your fence, your organization’s security. These new regulations effectively make you responsible to an extent for understanding your own supplier’s security. And in some cases, your supplier’s suppliers, this kind of idea of nth-party security, where does it stop, you’re now accountable for risks that you might not even have visibility into at the moment. There’s kind of a question about underwiring your ability to discharge your own responsibility by getting insight into what your suppliers are doing. That’s part of the challenge in effect. And critically, the penalties of getting bigger and sharper teeth, you know, like 15 million euros, two and a half percent of turnover for CRA, that really changes the conversation in the boardroom. And we’ll hopefully empower CISOs and certain people who are responsible for compliance in this space to be stepped up and listened to and maybe have more budget than typically they’ve had previously.

Lindsay: That’s such a good point because there are now just these endless strings of supply chains in this day and age. Why do you think these changes are happening then?

Rich: Well, I think primarily it’s the instance that I mentioned. We can list them off all day, SolarWinds, CrowdStrike, JLR, MLS, these weren’t necessarily isolated attacks on single companies in terms of the way that they were, that the impacts were felt, these were supply chain compromises that kind of cascaded across many people, many different organizations and I think we have seen regulators watching companies with quite sophisticated security programs getting breached because of vulnerabilities in third party software that they maybe didn’t have any or enough visibility into. That goes back to the point I made a moment ago about perimeter-based security, just not really working when the threat enters through your supply chain. We’ve also got because of that kind of cascading effect, the kind of sense of market failure, where cybersecurity incidents are what economists might term a negative externality, right? When a product is insecure, that it’s not the manufacturer alone that bears all the cost, customers suffer the impacts of breaches, critical infrastructure is disrupted, but the manufacturer’s liability might not necessarily capture what is regarded by the sort of person on the street as kind of being fair. The idea is that if markets aren’t naturally optimizing for security because of the externalization of some of the cost, regulation; there’s a case for regulation stepping in to correct that market failure. I think regulators are trying to use the law to internalize those costs to kind of make manufacturers and operators bare the true cost of insecurity.

Which actually leads me onto another important point, which I think is often overlooked in this space, which is the insurance market. This has been a lot of conversation about this, around the JLR incident. Insurers, I think, have historically struggled to price risk effectively to understand the risk because there’s no kind of standardized way to assess security practices across supply chains and I think without that without baseline security standards there’s a risk that the risk transfer mechanism it kind of breaks down. So, look at the discussion around insurance up to JLR, would it even, would the insurance that JLR was criticized for not having picked up even have been sufficient? Maybe not, right? And to the extent that that reflects a gap in the market, I think we’re going to see the insurance market mature, partly as a consequence of these regulations, partly as a result of the incident and the discussion that is now going on about it.

It’s not just about preventing breaches is my point. I think these regulations are also about creating more predictable risk environments so that insurance markets, ultimately capital markets, can function more effectively. So, without that predictability or that ability to understand what’s going on in the supply chain, where the dependencies are, where the vulnerabilities are, there’s a risk that the digital economy is more unstable than we would like it to be.

Lindsay: And on that question of the new regulations, could you talk a little bit more about what they are saying?

Rich: Sure. I mean, there’s a lot of them. I know you’ve– I think we’ve got a slide. If you could call that up, that’d be great. I’m not going to try and cover all the detail now, but I think there are kind of two or three main tracks.

We’ve got the EU Cyber Resilience Act, which came into force in December last year. The reporting obligations kick in in September 26th, full compliance by the end of ’27. NIS2 alongside that came into effect in 2023, which that was really about expanding critical infrastructure obligations. And a lot of the conversation in the UK now around the Cyber Security Resilience Bill is about extending original NIS regulations to managed service providers, bringing a big chunk of the supply chain into the scope for the first time. We’ve talked at the beginning about the big handful shifts, and we’re drilling down now into some more of the regulations and what it is that they actually say.

I think Question Zero the clients always ask is, am I in scope? I know scope is expanding, there’s a lot of talk about the fact that scope is expanding and the greater burden that therefore imposes on people. That’s obviously an interesting and important feature of these regulations, but it tends to drive the conversation around, while there are some new regulations coming, how do I avoid them or minimize my exposure to them? Obviously, that’s important to understand it, but I always advise clients that the conversation doesn’t stop there. So, kind of my prediction is that the requirements that each of these frameworks bring will over time become market norms, to the extent that we could see those requirements invoked by analogy, like in private litigation, even those who are outside the scope of regulatory jurisdiction. So, if you have an obligation, say in a contract, to take reasonable steps or perform due diligence, I think we’re going to see a failure to take steps that in some sectors are required by regulators, potentially being deployed against people who are otherwise out of scope in litigation or at least in negotiation around a commercial contract or following an incident. I think it makes sense that whether you’re in scope or not to understand what more you can do to understand your exposure to risk.

Big handfuls, if in the EU manufactured importers, you’re looking at the Cyber Resilience Act, so if you’re making or importing products with digital elements into the EU, so that could be software, IoT devices, anything connected, you’re going to have obligations at sort of three main stages. Before the market, you’re looking at being able to demonstrate security by design in software and hardware, risk assessments, documentation, so on. At market, the things like CE marking, conformity assessments, kind of build on the pre-market stuff. You’re looking at creating what’s called software builds of materials, or SBOMs, in a particular, format that need to be given to regulators on request to goagain, to show that you understand where the dependencies are in your software.

Then the big shift is throughout the lifecycle of the product, right? You’ve got a monitor for vulnerabilities in your product throughout a support period, usually five years. And if you become aware of a vulnerability that’s actively exploited, maybe through responsible disclosure or otherwise. You’ve got to notify National Authorities and ENISA within 24 hours, a detailed report within 72 hours, final report 14 days. This is pretty quick in the context of an incident, right? And critically becoming aware can include constructive knowledge. So, if it’s publicly available, you could be deemed to know. So, you need to be monitoring what’s going on, have a vulnerability disclosure policy and be engaging responsibly with those who make those responsible exposures, that’s a bit of a bugbear of mine.

NIS2 then, if you’re kind of an essential or important operator in say energy, transport, banking, health, infrastructure, those kinds of sectors, in the UK this is expanding to MSSPs, you’re going to have similar kind of key obligations around risk management, including understanding your supply chain and your exposure to risk there. Again, incident reporting, early warning within 24 hours, 72 hours, detailed notification, final report within a month. And so, you can see like an integration point here where if you’re an operator within this too, you’ve probably got to verify your supply is compliant to the CRA.

So effectively, what we’re seeing is a cascading accountability. So, you can’t just take your vendors at their word, you know, you just get a warranty that says, “Oh yeah, we comply with all of this stuff “and it’s all fine.” You actually need ongoing visibility into their security posture as well as your own. And it makes sense as well to make sure that you have the contractual levers, but critically the relationships in which those levers might be pulled to ensure that you’ve got the right information available to you and to demonstrate that you have the right information if a regulator comes knocking, as well as the competence to interpret that information. So, this is about investing in relationships, contracts, people, so that you can ensure that you’re able to assure a regulator or a supplier that you have the visibility that you need into your organization, but also those on which you depend. It’s really, really quite broad.

Lindsay: Yeah, and I guess, bringing these two subjects together, you know, taking that spider’s web of supply chain now, can companies in your opinion rely on, you know, the government for all matters relating to threat intelligence, you know, is it sufficient to rely on the government and, you know, government punishments and that sort of thing to prevent threats in future?

Rich: No, so I think the short answer is no. Why threat intelligence with government on its own isn’t enough and I think that is by design, going back to my point earlier about kind of reducing perceived dependence on government to mitigate these risks. And I think effectively the regulations are structured to make sure that you are taking responsibility for your own security, your own company’s security, as well as that of your supply chain, and to make that make commercial sense. That’s the point about regulation to correct perceived market failure. From a big broad policy perspective, I think that reflects a broader global shift in thinking about commercial resilience as a component of national security, in which we all play a part, right?

So again, come back to JLR. People are asking now, what is the proper role of the state when an incident hits, right? Kind of like the conversation we were having a few years ago, about banks and fraud, right? Who should bear the cost of a hostile act? and what protective measures need to be in place to then fail and how severe do the impacts need to be before somebody other than the victim, typically in that dynamic, a consumer, intervenes or maybe even the state intervenes to kind of swaddle or mitigate the loss.

And my sense is that these regulations are kind of the beginning of a clarification of what the role of the state is in a cyber-attack, a cyber incident, like it’s more about the state setting standards and enforcing them, but giving advice about how to meet those standards without providing the kind of operational security service at scale for individual companies or people in the supply chain. That’s everyone’s responsibility, not just the state. It’s that whole of society approach again, right? And again, so states can help with things like quality assurance to a credit, cyber security solution providers. They can help with setting what cyber essential should be, but that sort of thing. But the day-to-day security, your backyard and your competitors, that’s on you, that’s the clear message. And you can kind of see that as and when a critical mass kind of adopt that mindset to the extent that that hasn’t already happened whether compelled through regulation or voluntarily, the idea is we should be more secure because there is this natural surveillance within the market around threats, but that doesn’t mean you can out source it, you need to be looking at our own and those on who your continuity depends.

Specifically on threat intelligence, I think government threat intelligence is clearly invaluable. The NCSC in the UK, CISA in the US, ENISA in the EU, it tends to provide the quite strategic contextual information about kind of nation-state level threats, because that’s naturally where the focus is, kind of big vulnerability disclosures, maybe some sector-specific guidance. But because it’s operating at that macro level, it’s not enough on its own, that’s why I say it is not enough, because you look at the what the CRA and NIS2 require you to be looking for; they are requiring you to monitor for threats that are really quite specific to your products and your supply chain and that means effectively if your components have got vulnerabilities, if your credentials are circulating on criminal forums, if your employees or contractors or suppliers are vulnerable or being targeted that kind of granular operational intelligence is on you to collect and understand and interpret and assess. Government just can’t provide that kind of granularity as a service to all industries all of the time. They don’t know your specific bit of material, your supplier relationships, your attack surface. And there’s always a bit of a lag, right between the filtering down of government intelligence to, to public advisories, right, by which time the pace at which the threat is evolving, especially with AI and so on, its attackers have probably moved on a little bit. I think that’s always part of the challenge with public advisories. And I think governments accept this, right.

We’re seeing regulatory guidance that explicitly encourages companies to use commercial threat intelligence, right? Look at the British lawyer, look at the NCSC, for example. The NCSC’s guidance on supply chain security recommends continuous monitoring using multiple intelligence sources and seeks to equip companies to kind of understand what the market is offering in the threat intelligence space and the continuous monitoring space in order to make an informed choice for their organization as between what could be quite expensive, in some cases, and quite technical, different products. So yeah, that I think is the role of government. It’s helping you to make choices, but it’s the making of those choices that you still need to do in order to get the information that you need. So, if you’re relying solely on government threat intelligence, you’re probably not going to satisfy the appropriate procedures standard in the regulations. You need to be demonstrating proactive continuous monitoring, tailored to your risk profile. Loads of vendors do that, some are better than others.

I think fundamentally these regulations are trying to align compliance incentives with actual security outcomes. The idea is that we move away from this box ticking compliance much more towards actually improving your resilience to cyber attack, which is kind of in your commercially interest anyway, right? But it’s also about making sure that you can demonstrate if you’re audited or if a supplier comes knocking that you are doing all the right things, as well as actually using the intelligence in the right way.

Anyway, I’m conscious I’ve been talking for quite a long time, and I’ve got a few questions for you, Lindsay, if I may, about your experience at DarkOwl. So, reflecting on your experience with your clients, people who use your products, what kind of common challenges are they facing? Why is supply chain security important to them?

Lindsay: There’s a few reasons. I think one is best explained by the way that cloud technology is creating what could be described as a logarithmic network effect, the sort of spider’s web that I described earlier, where the ease of integrations between technology, which is a brilliant thing, causes an enormous reliance on external parties and risks from the supply chain. I mean, as you mentioned earlier, and I think it’s worth repeating. We know that last month that the CEO of Sophos, an enormous European cybersecurity company, Joe Levy, he summed it up nicely by saying that third party risk management is now “Nth Party Risk Management” that deserves being repeated, given the endless string of supplies involved in the provision of a product or a service.

And it’s not just B2C end products. Most B2B products on the infrastructure level now can’t escape a world of interdependence and over reliance on suppliers. We all thought data centers were that sort of the end of the supply chain thread where risks are more controllable from a sort of compliance perspective, etc. But you just have to look at the recent events with underwater sea cables in the Red Sea to realize that no one is safe.

And I think another big issue is the diversity of regulations as they relate to supply risk. If your supply chain is getting longer, so too is the certainty that some of those supplies are based in a different jurisdiction to your companies, and they’re probably more focused on that jurisdiction too from a compliance perspective. So, one of the regulations that you mentioned, the UK Cybersecurity and Resilience Bill, you know, that extends the current network and information security systems regulations to cover more ground, like you mentioned, managed service providers. And that is an enormous chunk of the cybersecurity supply chain for almost any sized company. So, not only are you contending with different suppliers, more supplies, but also, different countries and approaches to regulations in which those supplies operate.

Rich: Yeah, so thinking about those security professionals’ jobs, how are they impacted day-to-day by these regulations?

Lindsay: Yeah, I think that’s probably why we talk about people specifically working in the roles within threat intelligence and allied professions. If you take a look at the micro level, there are so many things to talk about even just within that category.

There’s a lot of things to consider. There’s the onboarding of third parties and all the checks that that entails. For example, you have within the lifetime of a third-party contract, the ongoing maintenance and technical debt, there’s the offboarding, the decommissioning phase, often done so often with less sort of support from cross functional teams who just want to get rid of the contract they have with this supplier.

There’s the ever-evolving world of application security too. But then, what about the consultants, in a world of outsourced services and staffing? You know, the people who have been working on this technology or so, have they got key cards on them? Then there’s that added issue of maybe areas that are blended with corporate security responsibilities. You need to account for those and stepping back even further. This is all in a world in which an information security professional probably doesn’t actually own the supplier relationship or even project manage the deployment. So, looking at all of these variables on both the job level for people working in security through to this macro level of nation state threats as you mentioned quite rightly in the complex and independent supplier applications and networks. It’s no surprise that some of the prevailing guidance is about how to take matters into your own hands as you ended with, because we can’t readily rely on the government to sort it out for us.

Rich: Yeah, I mean, there’s the inflection point right between what we’ve been talking about. New technologies and sort of big data, there’s more data out there swimming around, there’s got to be an opportunity there, right, to better understand these threats?

Lindsay: Yeah. We should probably talk about something positive, I think in all of this, because no doubt we’re all affected by the speed with which data can be crawled and fused in the threat intelligence sector. And yes, the explosion in supply chains means that there’s more ways for threat actors to get lucky, you know, business email compromise, service desk social engineering and beyond, you know, there’s a broader attack surface, meaning there’s need for more threat intelligence. And I think thankfully, there’s now a renewed attention you’re starting to see on threat intelligence and open-source intelligence that encapsulates everything from APT group reconnaissance to Twitter feeds and ways that we confuse this normalized data to give warning signals to information security pros. Alert fatigue is a problem especially, you know the moment you introduce responsibilities to monitor the supply chain and the wider regulatory sort of consequences for doing so the answer will inevitably lie in looking over the horizon, looking over the IT network and strategically addressing the issue rather than tactically. And technology can certainly help us do that.

Rich: What a neat segue into DarkOwl. So how has DarkOwl helped to equip information security professionals and others to navigate that increasingly complex environment and think differently about how it and get ahead of those risks?

Lindsay:  Yeah, when we were sort of thinking about this, we developed something called DarkSonar. So, DarkSonar is a risk score. So that when there’s been more activity surrounding a company’s domain and staff credentials on the darknet, essentially it would let you know when there has been more exposed than you’d normally expect. Breaking this apart a little bit, it gives a relative risk rating to an email domain that considers the nature, the extent and severity of credential leakage on the darknet to provide a company with a signal that acts as a measurement for a company’s exposure in advance of an attack. Because we know that one of the biggest threat vectors to this day is still compromised credentials for entry to a system. And we tested this metric against 237 cyber-attacks occurring between 2021 and 2022 and found our signal was elevated within the last four months as it says there, a prior to an attack for 74% of the attacks on organizations. And I suppose there’s three things going on here.

So, number one, it’s data-driven future warnings as opposed to alerts after the fact. Number two, it’s scalable to all domains and supplies included. In fact, Security Scorecard have endorsed this for us publicly for this reason. And then finally, it offers companies the ability to measure market benchmarks because their supplier may not know where their exposure lies in relation to other companies, especially in relation to government departments and local councils, for example, that sit side by side, but are actually not always sure as to what exposure level they should come to expect, especially if you can benchmark it against predicting breaches and ransomware attacks.

So, this is the way for you and your supplier to do just that. It’s one contribution we’re making to at scale help organizations look over the horizon at risks to their suppliers and by extension themselves.

Rich:  That predictive model sounds really critical for businesses that are trying to get ahead of a threat, right? And/or if you want to criticize someone else in your supply chain who didn’t get ahead of it. I was just going to say, did you have some slides that kind of demonstrated that?

Lindsay: Yeah, so if we look at a couple of examples that we threw together of sort of brand names just to make the data pop a little bit, you can sort of just visually sort of evaluate the success of using this sort of metric to predict an oncoming attack, just looking at Fujifilm and Robin Hood and their ransomware and data breaches that they experienced, respectively.

So yeah, I mean, this is something that we’re working on, we’re always looking for people to try it, to test it out. We like to be very transparent and understand where people are in their journey. This industry only works, threat intelligence only works if, you know, information flows both ways and we can certainly benefit from that. So, I mean, talking of that, I mean, perhaps we can turn to some questions from the floor because we’ve both been talking enough now.

So, Kathy, I don’t know if any questions have come in, but we can maybe answer any in case.

Kathy: Yes, thanks, Lindsay. We have one question that came in. It is, your webinar is looking at future trends, but from existing commercial customers, is DarkOwl seeing any trends today and how to leverage the darknet?

Lindsay: Good question. It’s funny because I was reading the UK government’s chronic risk report that was brought out last month and inside it, it details the ways in which so many risks are converging. So, I mean, the report itself was consistently emphasizing the interdependence of cyber risks, geopolitical risk, economic risk, even ecological risks. And one of the long-term uncertainties they officially were outlining is that the internet is going to become fragmented into sort of splinter nets, which basically means that, you know, the internet will fragment, thanks to regional policies, which will sort of isolate digital interactions and data access, creating sort of digital islands. And when you add that sort of thought to, okay, at the same time in the UK, we’ve got a, you know, explosion of VPN adoption since the online safety act and the sort of the risk we’re re-anonymizing the internet. Really, what that all means is a big trend we’re hearing from customers and partners is that they’re finally treating the darknet as an online space, just like the rest of the internet, which is needed for brand protection, situational awareness, just as importantly as they’re using the surface net for those same purposes.

Kathy: Okay. Thank you, Lindsay. We have another question that has come in: We are a mid-sized manufacturer, December 2026 feels close for CRA reporting obligations. What should we be doing now?

Rich: Yeah, it is close. I tend to advise my clients to kind of phase their preparation over the next 12 to 18 months if they haven’t started already. Their objectives really need to be to getting and making sure they’ve got the right people on it, first of all, sort of the right consultants, lawyers, to help to ensure preparedness. And the first thing to do, I suggest, really is to map the supply chain, get visibility into what components you’re using, who your critical suppliers are, what your relationships look like, what contractual and commercial levers you’ve got to get information about their exposure to risk.  Where you have a gap? How do you fill it?  Do you need to buy threat intelligence?  Do you need to buy access to data?  That kind of thing, then you assess your vulnerability monitoring.  Can you at the moment detect when your components have actively exploited vulnerabilities? Are you researching vulnerabilities entering software yourself. If not, I suggest certainly the former is quite a serious gap. Start looking at continuous monitoring solutions, get some quotes, start integrating. Then if you’re not already generating SBOMs, the builds and materials start building or procuring that capability, because that’s again foundational to compliance.

And then once all that’s in place, we need to look at incident notification planning. So, running tabletops, what does it look like in practice to meet that kind of 24-hour notification timeline as the case may be, who needs to be involved, who calls whom, at what point, who makes the decisions. And these could be quite big decisions, right? Like, do we pay a ransom? Like, whose job is it to decide and what’s recorded. Where is it recorded? Probably not on a compromised system, right? Whose job is it to record everything? And then test them, test the response procedures, document them, improve them, test them again. And it’s kind of acontinuous cycle.

What else? Reviewing supplier contracts, you probably need or will be asked to give kind of CRA specific warranties and indemnities, Make sure they’re fair and that there isn’t this kind of knee jerk, complete and utter transfer of risk onto you. Think as well about on the topic of risk transfer, think about insurance. Whilst I think I’ve said that the market is still maturing, if you’re not insuring, make sure the risk is at least surfaced and noted at the correct level. I think the companies that struggle in 2026, 2027 will be those who kind of see this as a bit of a last-minute compliance exercise trying to buy their way into like a performative compliance at the last second. Like not acting now I suggest is also a decision and you should think about where the accountability for that decision might lie and if you don’t know where that is, it’s probably you. The companies that are succeeding in in 2027 will be those who have embedded security monitoring, continuity planning, and so on into their operations. Now, easier said than done, right? It needs investment and time and money and people, but that’s the way of the world.

Kathy: Great. Thank you, Rich. Both Lindsay and Rich, that looks like that’s the last of our questions, and I just want to thank the both of you for an insightful discussion today.

And as a reminder to all of our attendees, we will be following up via email with a link to the recording and other resources. If you’d like to contact either Lindsay or Rich, their contact information is presented on this slide. And we thank you again, and we look forward to seeing you at another webinar in the future.

---

Questions? Contact us.