Our CyberXCHANGE event series brought together CyberCX experts and customers from across Australia and New Zealand to discuss the latest insights and trends related to the cyber security landscape.
One of the segments unpacked the 2026 Hack Report with Executive Director, Security Testing and Assurance Victoria, Liam O’Shannessy.
Liam and CyberCX’s team of global offensive security experts moonlight threat actors to identify, exploit and assess vulnerabilities in organisations, and in this year’s Hack Report, have shared insights on the state of cyber vulnerabilities across our economy based on over 70,000 findings.
From emerging vulnerabilities and AI-driven risks to the varied security challenges shaping different sectors, the conversation focused on what organisations should be doing to bolster their defences.
Here are the top questions asked in the room about the findings of the Hack Report and what Liam had to say.
Q: What is the key takeaway that defenders should take back to their executives about the severe findings breakdown by industry?
A one-size-fits-all approach doesn’t really work. Every organisation has their unique areas of strength and weakness, as well as their own risk criteria. To drive an effective security strategy, they need to first understand where vulnerabilities affecting them originate.
We need to recognise that if we’re only looking at threats, focusing on what threat actors are doing, and then introducing controls just to respond, the best we can hope for from this strategy is to keep pace with attackers. We will never actually get ahead.
To get ahead of attackers, we need to demand more. We need to get ahead of the curve and start thinking differently and asking questions like: what would the blast radius be if something goes wrong? Can we design systems and build architectures that inherently minimise or even eliminate certain risks?
So rather than being purely reactive, keeping a risk lens front and centre needs to be our guiding light in driving proactive design, resilience, and smarter decision-making from the outset.
Page 13: To compare the state of cyber security across different industry segments, CyberCX analysed the proportion of engagements that resulted in severe findings on a per-industry basis. The baseline across all industries is 29.0%.
Q: The hack report delves into current trends over three years, looking into the future, what is on the horizon for emerging trends that will make the 2027 or 2028 Hack Report?
One of the big transformations, driven by AI and other factors, is some organisations moving away from SaaS. There are a few reasons why, including SaaS vendors charging more for premium licences, and AI turbocharging the internal capability to create and rapidly deploy solutions.
As a result, we’re seeing more being built and delivered in-house. But the key question we need to ask is: do our security processes support that shift?
In most organisations, that remains an unsolved problem – and it’s the source of many emerging risks. While many of these SaaS solutions are expensive, they do come with significant investment in security. If we’re trending away from that model, we have to ask: where is the security coming from, and how are we ensuring it keeps pace with what we’re building internally?
Q: Does CyberCX use AI for penetration testing and do you see it replacing the penetration tester in the future?
We get asked this question a lot. One of the partners we work with puts it well: “AI won’t replace penetration testers, penetration testers using AI will replace penetration testers”, and I agree with that.
We’re already using AI across many parts of our workflow. There are still things that humans do better than computers, and that’s an important point to keep in mind.
The real transformation being driven here is understanding what people do best versus what computers do best, and then deliberately allocating those tasks across the workflow so we can play to human’s and AI’s strengths.
When we think about what a human augmented with AI can achieve – and especially when we start to look at the economics of AI, which is becoming a much more active discussion, we need to ask: what is expensive to do with AI, and what is efficient and cheap? When we align strengths to strengths, we start to see real gains.
We can already see this playing out in penetration testing workflows – from vulnerability identification and exploitation, right through to reporting and communicating with customers.
In cyber security more broadly, an important point often gets missed. If the question is, “How can AI help me cut my budget and achieve the same outcome as today?”, you’re missing the real challenge, because that’s not how attackers are thinking.
Threat actors are using AI to massively increase their capabilities. If we want to stay ahead, we need to adopt the same mindset and aggressively scale our own defensive capabilities.
Q: Are you seeing organisations get better at actioning critical findings? Are they remediating them faster, and are there more well thought-out procedures and processes you are seeing some organisations do well?
We are. What we ultimately care about is risk, and we can’t lose sight of that. If our vulnerability management fails, then what? What is our ability to detect a breach or respond to a breach, and what are our metrics around that?
For all the challenges we have in vulnerability management, the reality is that we’re often less mature in detection and response than we think we are. We may have all the tools in place, but we have very little assurance about how well we’re actually performing.
That’s where we’re seeing a significant uplift in focus. We’re working with organisations to simulate real-world attacks and uncover the blind spots – where detection fails, where response is too slow, and where coverage simply isn’t there.
Often, what we find is that expensive tools purchased by organisations are sitting there with default configurations, not properly tuned to the environment, and potentially missing critical threats. That represents a relatively easy uplift, and we’re seeing more organisations recognise this and start to take action.
Q: For customers in the room grappling with the larger amounts of vulnerabilities, what is your advice? Is it do more penetration tests, or is there a better strategy when the environment is becoming more complicated?
I’d love to say that more penetration testing is the solution, but the reality is we need to take a more holistic approach. We absolutely need to get faster and more responsive when it comes to patching issues, but we also need to recognise that patching isn’t entirely within our control.
When it comes to managing vulnerabilities, there is a massive amount of supply chain risk, and there are parts of that supply chain where we have varying levels of confidence. This isn’t a conversation we’re consistently having today.
For example, which of our vendors can identify a vulnerability and deliver a patch within hours that we can actually deploy? Larger vendors often have the scale and maturity to do this with some agility, but there are many others that simply aren’t operating at the level they need to be.
Q: Given that social engineering remains one of the most significant vulnerabilities – and is only getting worse with the rise of AI – what are the hard controls we can put in place to mitigate that risk?
The success rate for social engineering attacks is still incredibly high. One of the rare cases where we didn’t succeed involved an Australian organisation that had specifically invested in addressing the risks of deepfakes by implementing stronger processes and controls – and it worked.
In that case, individuals within the organisation genuinely believed they were speaking to an executive from their organisation when we ran social engineering calls, but the embedded verification processes held firm and prevented the attack from succeeding. It was a fantastic result – but it’s the exception rather than the norm.
At the moment, this is one of the few organisations we’ve seen that is effectively defending against AI-powered deepfake attacks. There needs to be more like it. We explore this issue in more detail in the Hack Report.
Download the Hack Report today to understand the full breadth of insights, including the top vulnerabilities leaving organisations exposed, and what you can do to mitigate the risks.
