Looking back at the 2026 EU MITRE ATT&CK® Community Workshop

Threat modelling is not the preserve of IT security teams alone. Jennifer Henoch and Dennis Verslegers demonstrated that, with the right taxonomy and communication approach, ATT&CK can serve as a shared language that makes cybersecurity concerns intelligible across the entire organisation from GRC and risk teams all the way to the board. Threat mapping must remain meaningful: it should reflect each organisation’s unique threat landscape and processes. Jan Kopriva illustrated this point in the public sector, sharing the example of sector- and geography-specific threat models circulated at the ministerial level to raise administrative awareness.

AI is reshaping both our daily lives and the way we practice security. Because AI systems make autonomous decisions, they introduce risks that must be understood, evaluated and mitigated. Ana Lakshmanan stressed the importance of building resilient AI security controls and proposed a practical six-tier model for imagining security in the age of AI. Frameworks such as ATT&CK and ATLAS continue to evolve to stay relevant and useful in this new environment.

The workshop made clear that defenders are not starting from scratch. In a live demonstration, Jeroen Vandeleur showed how humans and AI can work in concert: a red team defines the target and attack strategy while AI agents handle reconnaissance and automate execution. This human-AI pairing proves valuable for both red teaming and purple teaming exercises. On the defensive side, Sébastien Deleersnyder introduced the surgeon model, in which AI accelerates repeatable work so human defenders can focus on context and risk management. Ian Davila also highlighted the power of generative AI to help defenders prioritise threats efficiently.

For cyber risk to matter, it needs to support priority-setting and translate into concrete decisions. Context is the decisive factor, for instance by validating controls that are already in place to verify whether existing solutions genuinely mitigate or prevent a given risk. Risk that does not inform action is risk that goes unmanaged.

Turning security frameworks into operational practice attracted strong interest throughout the day. ATT&CK remains a cornerstone tool for SOC teams, enabling analysts to characterise threat actor behaviour rather than cataloguing isolated techniques. By contextualising adversarial actions, defenders are better placed to detect them. At the European level, the SAFE project is advancing efforts to strengthen national SOC capabilities; a timely initiative as the threat landscape grows more complex.