At RSAC Conference 2026, Chief Security Evangelist Tony Anscombe pulls back the curtain on how ESET turns global threat research into prevention-first security for businesses of every size. From campaign-level threat actor patterns to a surprising survey finding about cyber insurers running MDR -- this is the kind of signal the industry rarely talks about this plainly.
On the RSAC Conference show floor, Tony Anscombe shared how ESET has expanded its threat intelligence offering with ECR reports -- designed to give commercial organizations both machine-readable feeds and human-readable analysis. The reason: threat actors are increasingly hard to attribute, they share tools, run coordinated campaigns, and reinvest profits into more sophisticated operations. Having someone do the research and surface actionable intelligence is no longer a luxury.
Anscombe pointed to a telling campaign pattern from last year: threat actors refined attack methods against UK retailers, then rapidly adapted those same techniques against US retailers. The implication is clear -- your business may be unique in its infrastructure, but it is not unique in its sector. Understanding how your sector is being targeted is the foundation of a prevention-first posture.
Automation came up as equally non-negotiable. If it takes three days to collect all the information needed to make a determination about an incident, the post-attack phase has already begun. ESET Inspect is designed to flip that equation: when an analyst opens an incident, the forensic analysis is done, the evidence is visualized, and the determination can be made on facts rather than gathered through investigation.
Anscombe was careful to draw a line between automation as speed and automation as replacement. ESET's position is that AI should operate alongside human expertise -- trust and verify applies to AI-assisted analysis just as it does to any intelligence feed. Oversight remains essential, even as the tooling gets faster.
A preview of upcoming survey data offered one of the more striking moments in the conversation. Roughly 35% of SMBs using MDR are sourcing that service directly from their cyber insurer. Anscombe flagged the monoculture risk: when a large share of businesses in the same sector run identical security stacks, a single point of failure becomes a sector-wide vulnerability. His advice after 30 years in the industry -- different organizations should deliberately choose different platforms to maintain diversity.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Tony Anscombe, Chief Security Evangelist, ESET
LinkedIn: https://www.linkedin.com/in/tonyanscombe/
RESOURCES
ESET: https://www.eset.com
ESET Threat Intelligence: https://www.eset.com/int/business/services/threat-intelligence/
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Tony Anscombe, ESET, Sean Martin, Marco Ciappelli, brand spotlight, brand marketing, marketing podcast, threat intelligence, cyber resilience, MDR, EDR, XDR, managed detection and response, SMB security, cybersecurity automation, RSAC Conference 2026, prevention-first security, cyber insurance, monoculture risk, ESET Inspect, APT research
From Threat Intelligence to Cyber Resilience: What SMBs and Enterprises Need to Know Now | A Brand Spotlight at RSAC Conference 2026 with Tony Anscombe, Chief Security Evangelist of ESET
[00:00:10] Sean Martin: Just like that. We need the board.
[00:00:15] Marco Ciappelli: No.
[00:00:16] Sean Martin: No, no board.
[00:00:17] Marco Ciappelli: Snap your finger.
[00:00:18] Sean Martin: You don't have time for a board.
[00:00:19] Marco Ciappelli: Magic. It's all magic. All AI.
[00:00:22] Sean Martin: Things happen. Whether you're prepared or not.
[00:00:25] Marco Ciappelli: I'm prepared.
[00:00:26] Sean Martin: Yeah.
[00:00:26] Marco Ciappelli: I'm prepared. Because what we're talking about here mostly is AI. So if you know a little bit about AI, you can get all the way around the floor a little.
[00:00:40] Sean Martin: Makes you golden. You're golden.
[00:00:42] Marco Ciappelli: Yeah.
[00:00:42] Sean Martin: Right.
[00:00:42] Marco Ciappelli: Well, I guess so, but the good news is it's not just me and you talking about things. We have a great guest, which we already had an opportunity to talk to before the event. He came all the way from the UK. I heard.
[00:00:57] Tony Anscombe: I did.
[00:00:58] Marco Ciappelli: And the weather?
[00:01:00] Tony Anscombe: Not as nice as this, but it actually was pretty good when I left the UK. It was about 15 degrees cooler -- a proper spring.
[00:01:08] Marco Ciappelli: There you go. And we know from the prior conversation, this is not your first rodeo. Not your first RSAC Conference.
[00:01:16] Tony Anscombe: That's an interesting one. When do you think my first RSAC was?
[00:01:21] Marco Ciappelli: I don't know. 20 years ago?
[00:01:25] Tony Anscombe: Any advance?
[00:01:27] Marco Ciappelli: 25.
[00:01:28] Tony Anscombe: My first one was 1998, when it was held at the Fairmont Hotel.
[00:01:33] Sean Martin: Whoa.
[00:01:35] Tony Anscombe: Yeah.
[00:01:36] Marco Ciappelli: You have seen a few. Was it all about AI at that time?
[00:01:42] Tony Anscombe: Fortunately not.
[00:01:44] Sean Martin: All right. So for people wondering who's sitting here with us -- Tony from ESET, good to see you.
[00:01:50] Tony Anscombe: And you.
[00:01:52] Sean Martin: Very good.
[00:01:53] Marco Ciappelli: Good to see you this time in person.
[00:01:54] Sean Martin: Yes. So we had a chat about a report you put out -- the ECR report.
[00:01:59] Tony Anscombe: We certainly did.
[00:02:00] Sean Martin: Yes. And so I'm going to encourage folks to listen to that, but give us an overview just so folks have context.
[00:02:05] Tony Anscombe: So the ECR reports are a threat intelligence offering. We've had threat intelligence for a number of years in the form of APT reports and a number of different feeds that customers can get. But we've enhanced that and added ECR reports because commercial companies certainly need to have that context and that threat intelligence, both in a feed and in written form. You can digest it in different ways and implement it in different ways. I think it's really important because there's a lot of crossover as well. Threat actors are using different tools coming from different places. Attribution is tough. So actually having somebody that's doing the research and providing the actionable intelligence is really important.
[00:02:55] Sean Martin: Right.
[00:02:55] Tony Anscombe: You need to know this affiliate might be using these three EDR killers, and then the next phase after those EDR killers might be these tools in place. With that intelligence, you can block the attacks.
[00:03:11] Sean Martin: Right. It's all about knowing the kill chain.
[00:03:13] Tony Anscombe: Absolutely.
[00:03:14] Sean Martin: Absolutely. So let's shift gears a little bit. Having that understanding and then communicating it -- how you solve for some of the problems that surface because of attackers being so successful. How do you connect with people here at the RSAC Conference to say, here's what we're able to do relative to what you're struggling with?
[00:03:43] Tony Anscombe: That's a good question. From our standpoint, it's about prevention first. You've got to provide protection and prevention to stop the incident. A lot of cybersecurity people talk about an early post incident -- once something happens. But if you can actually prevent it from happening through things like intelligence, then you're ahead of the game. And that's really important. You often hear things like the endpoint might not be so important to protect, but if I can prevent something happening on the endpoint, that's a good thing. And if I can use intelligence to stop something happening within my network, that's an important thing. So to me, it's making people's lives easier. If we can prevent attacks from happening -- however, that's a complicated scenario as well, because obviously cybercrime has a lot of money attached to it.
[00:04:39] Sean Martin: Right.
[00:04:39] Tony Anscombe: Somebody's making a lot of money somewhere.
[00:04:42] Sean Martin: And they're going to reinvest that money to make even more money.
[00:04:47] Tony Anscombe: They do, and that's the problem -- they then advance the tooling and they make more money. They also diversify their businesses into other extortion methods. And unfortunately, once you're making that money, it's like a drug. You're not going to give it up anytime soon.
[00:05:04] Marco Ciappelli: Well, sociologically speaking, when you look at crime, even if it's not cybercrime, any kind of crime -- obviously somebody decides that's their business.
[00:05:14] Tony Anscombe: I like the way Hollywood always looks at this.
[00:05:17] Marco Ciappelli: Yeah.
[00:05:17] Tony Anscombe: Hollywood always says go after the money. When you watch some crime drama, you know -- go after Mr. Big.
[00:05:24] Marco Ciappelli: Stop the money.
[00:05:24] Tony Anscombe: Follow the money and stop Mr. Big. And maybe cybercrime -- it's about time we changed tack and tried to cut the money off. Why is cryptocurrency deregulated? That's a good question, isn't it?
[00:05:39] Marco Ciappelli: That is a good question. Listen, I want to talk a little bit about the research methodology. Because obviously when we talk about data, we need data and information. But when you have all of that in front of you, you may have a ton of it. What do you do with it? How do you make it usable and productive?
[00:06:08] Tony Anscombe: We historically are very well known as a research company -- and I get told off by our product people when I say we are still a research company with products. They tell me we are a product company with research. But semantics, isn't it? I like my way of explaining this. But that's what creates the data. If you are doing the research and creating the data and you've got good products in market and you're getting the telemetry back from those products, and then you've got a good research team actually analyzing that in context of what else they found -- suddenly you understand prevalence. You understand the attack methods and the tactics being used. More importantly, you can take what the research comes in with and you can actually create products that answer the attacks you are seeing in market. So you can actually create products based on data. I think that's super, super important.
[00:07:09] Marco Ciappelli: And reconnect to being proactive versus reactive.
[00:07:13] Tony Anscombe: Yeah, absolutely. And you need that global picture on that as well. It's important to have that global telemetry and that global view. That's why we've got research offices around the globe, in different locations, so that we are never outside the sunlight, so to speak. However, they're researchers -- they don't need sunlight. Let's just be clear.
[00:07:35] Marco Ciappelli: Follow the money and the light.
[00:07:37] Tony Anscombe: Yes.
[00:07:37] Sean Martin: Follow the money and the light. So you talked a bit about research bringing intelligence and having the context. There's a lot, as Marco's talking about -- I need to know what's most important for my business, and my business is different from others. My infrastructure is different, my team has a different program, they're staffed with different skills. How does ESET help meet the needs of all those different layers?
[00:08:10] Tony Anscombe: Well, that's interesting. Let's just talk about threat actors for a moment. Because the threat actors tend to run campaigns. If you remember last summer, you saw a number of attacks against retailers in the UK. And then shortly after that, another group attacked retailers in the US. My point here is that they work out ways to do things against certain industry sectors, and then they'll put those into practice. Then they may go off and do research on something else and go after other industry sectors. Coming back to that conversation we had on threat intelligence -- that's why it's important to have the context of what's happening and the prevalence of what's happening. If you see a campaign being run by bad actors in one place, you can go off and protect against the way it's being done to others in your same sector. Your business might be unique in its infrastructure, but you're not unique in probably what you do business in -- you are in a category. Understanding how that category is being attacked, learning from other things that have happened, is super important.
[00:09:15] Tony Anscombe: But also the tools that we provide. For example, ESET Inspect -- you've got limited resources in house, because resource is expensive and hard to come by. When you use the AI tooling within our products, when the analyst sits down and an incident comes in, in effect the forensics have all been done. The AI tooling already gives you that visualization and puts all the evidence and all the forensic materials in front of them. They don't need to go gather the information or do the investigation. They're looking at the facts.
[00:10:36] Sean Martin: What's the level of desire -- I think desire is probably the best word -- of automating some of these things?
[00:10:51] Tony Anscombe: Well, there are several reasons to automate. One is a lack of resource. If we go back three or four years, big numbers were being thrown around -- 3 million people short in the cybersecurity industry. So when you've got that mass shortage, you need automation. Now today, for other reasons, the attacks and what's happening in the market are so sophisticated that the automation brings you speed. You could have lots of resource and if it took you three days to collect all the bits of information that allow you to make a determination -- you are already in the post-attack stage. So you need something that does it in a smart timeframe. Think about EDR as a concept: you are collecting data from every source on an endpoint, or from other devices on a network with XDR, and you are collecting so much data that no human could sort through it in time. So you have to have that level of automation in there.
[00:12:05] Sean Martin: It goes back to your point on the data. It's all there.
[00:12:12] Marco Ciappelli: I'm very visual -- and I also have a visual from the prior conversation we were having with our friend, who made the concept that AI in cybersecurity needs to be fast to compete with the cybercriminals who use AI. But he also said he likes old video games like Super Mario, and brought up the example of when you eat the mushroom, you go really fast but you lose control. What I'm saying is: you get a lot of data. You use AI, maybe you use it properly -- and maybe instead of doing something positive, it creates another problem. So how do you balance all of this?
[00:13:05] Tony Anscombe: One thing you'll always hear from us at ESET is that AI should be in conjunction with human expertise. There should always be human oversight, because that gives somebody the ability to look at the context of what's going on. Would I trust the search results that come back from an AI search engine? I might trust it to read it, but I'd go and verify it. In cybersecurity it's the same -- trust and verify. I think you need that human oversight still. Maybe that'll change. In three to five years we may be sat here and it'll be a different situation. But today I would still very much have that.
[00:13:55] Marco Ciappelli: Still, it helps to collect the data, filter the data, and make the life of the analyst easier.
[00:14:02] Tony Anscombe: Yeah, absolutely. Imagine the crime drama where the detective sits there and the evidence just lands on their desk and they don't need to leave. It's kind of what we're doing.
[00:14:12] Sean Martin: So the IT team -- they're being asked to do a lot of different things.
[00:14:24] Tony Anscombe: Mm-hmm.
[00:14:23] Sean Martin: May not understand everything that's happening. What are you seeing with IT folks who aren't necessarily security-oriented but have to handle all this stuff?
[00:14:37] Tony Anscombe: When you say not security-oriented, what do you mean?
[00:14:41] Sean Martin: Well, it's more about standing things up, enabling the business.
[00:14:46] Tony Anscombe: Mm-hmm.
[00:14:47] Sean Martin: Working in conjunction with security, but not necessarily leading it.
[00:14:51] Tony Anscombe: I personally think IT and cybersecurity is changing. And I think you started to see that change -- and I hate using the term, but the pandemic -- you started to see the IT team become business-critical, part of the business operation. And I think that's true now. If you talk to any business and look at how they approach cybersecurity or IT, it's about business enablement and business risk. Cybersecurity is becoming about business risk. Every business will take a different view on where their risk level is -- where do you draw the line of acceptable risk? And then the IT team and the cybersecurity team need to build infrastructure to where the business accepts risk. So I think cybersecurity people and IT people need to become more aligned with the business.
[00:16:02] Sean Martin: And how do you bring it back to that conversation of risk understanding? How do we push things forward, but also do that safely within our appetite?
[00:16:24] Tony Anscombe: Think about it -- you could lock everything down so far that the business doesn't operate. It's finding that fine line where the business operates while also maintaining an understanding of risk. You see that with the sudden acceptance of cyber insurance over the last three to five years. Most companies now carry cyber insurance, so they're mitigating the financial risk of a cyber incident. And look at where insurers have started now -- providing security services like notifications of vulnerabilities to reduce the financial risk. So IT and security is really becoming about financial risk. However, I think we can also see lessons learned when we look at risk and resilience. Last year there was a power outage at Heathrow Airport for a day. It was quite something -- for an airport that size to shut down for a day because a substation caught fire.
[00:17:10] Sean Martin: Right.
[00:17:10] Tony Anscombe: There was no maliciousness, and each transformer in the substation had several cables from it to the airport, and there were multiple transformers. What nobody actually understood was that substation powered part of the safety equipment. When that substation went off, so did the safety equipment.
[00:17:58] Sean Martin: It's like your Christmas lights -- the first one goes and the rest go with it.
[00:18:01] Tony Anscombe: Exactly. They weren't meshed together. It wasn't a mesh network of power. And we can all learn from those types of incidents. The Jaguar Land Rover attack last year -- look at the supply chain issue that caused.
[00:18:14] Sean Martin: Yeah.
[00:18:14] Tony Anscombe: Lots of suppliers -- some 5,000 different companies had financial issues and supply disruptions as a result. Things like that we can learn an awful lot from. And I don't know whether as an industry, when we see an incident unfold at another company, we actually take the learnings from that company and build them in. I don't know whether we do enough of that.
[00:18:38] Marco Ciappelli: By sharing intelligence and sharing experience. Yeah. So what kind of company -- people right now watching this conversation, they like what they're hearing -- how can they start working with ESET? And is there any particular market that you're more specialized for, or that you're most valuable for, any kind of business?
[00:19:10] Tony Anscombe: I mean, our big offering right now is around EDR and MDR. If you're a small and medium-sized business, I'd really recommend looking at managed service, because trying to run today's sophisticated tools without having an experienced analyst sitting there looking at the incidents that unfold -- I think maybe that's a little naive. I strongly recommend those smaller businesses without the facilities or resource to do that. But for the larger enterprises who want to run their own -- they should definitely come and talk to us about our threat intelligence.
[00:19:58] Tony Anscombe: And threat intelligence is an interesting one because there's open source intelligence as well. One thing we are known for is very well-curated intelligence. By the time that intelligence gets to you, the false positives and false flags are out of it. So what you're actually taking in is an intelligence feed that you can plug in and have confidence that it's just going to run. But I would also augment that by saying it's not only about taking a feed, because that to me means you're not learning from the context behind the feed. I also think you should augment that with understanding the context of it as well.
[00:20:37] Sean Martin: Speaking of understanding, it's my understanding that you've been doing some research -- a survey, if you will -- that something is coming out soon.
[00:20:48] Tony Anscombe: There is.
[00:20:49] Sean Martin: Can you tease a little about what that is?
[00:20:50] Tony Anscombe: Yeah, there certainly is. And there were some things that came out in the survey results which I have been privy to -- which somewhat shocked me. Let me give you one highlight. We asked about cyber resilience and confidence, and this was SMBs. The good news is that 77% are either very or slightly confident in their cyber resilience. That shows good. I would caveat that cybersecurity people are pessimistic, aren't we, typically. So I'd just say don't be too overconfident. But it's good to hear that businesses are confident.
[00:21:32] Sean Martin: Right.
[00:21:33] Tony Anscombe: The other one that stood out for me was around cyber insurance. About a third of the people that have MDR -- say 35% -- are using their insurer as their MSSP. Now that concerns me somewhat, because there are three big insurers in the US that actually provide MDR directly, but it also means you are creating a large monoculture of those smaller businesses all running the same MDR service. I strongly believe one company might use Platform X, but the next company along the street should probably use Platform Y. Not that you should diversify within the same company, but different companies in the same sector should use different offerings to ensure there's diversity. One thing I've learned in 30 years in the industry is that layered diversity -- all these things improve security.
[00:22:36] Sean Martin: Yeah. I've not heard that one yet. It's an interesting one because I've heard about cyber insurance bringing in help to remediate -- responding and recovering. But not we'll pick the MDR for you.
[00:22:54] Tony Anscombe: Yeah. A number of them are actually selling the MDR. But think of it as an SMB -- you want the financial mitigation, you want to reduce your risk financially. The insurer turns around and says, I'll run your security as well. This is kind of a no-brainer, isn't it? So I'm just saying -- be cautious.
[00:23:10] Sean Martin: Yeah.
[00:23:11] Tony Anscombe: Yeah. Be...
[00:23:12] Marco Ciappelli: Brave and be...
[00:23:14] Tony Anscombe: Different.
[00:23:15] Marco Ciappelli: There's a lot to think about from this conversation. Unfortunately, we have to wrap it. But that's what I always say at the end of my podcast -- if you have more questions now than answers, well, you've got the person to ask them to.
[00:23:29] Sean Martin: There you go.
[00:23:30] Tony Anscombe: Yeah, no, absolutely. Anybody can link with me on LinkedIn and ask me those questions. I'd love it.
[00:23:36] Sean Martin: Perfect. So connect with Tony, connect with the ESET team, and stay tuned for more as we continue covering RSAC Conference. Thanks, Tony.
[00:23:45] Tony Anscombe: Thank you.
[00:23:46] Marco Ciappelli: Thank you for joining us.
[00:23:47] Tony Anscombe: Thank you.