TrendAI™ Research at RSAC 2026: Advancing Defense Across AI‑Driven and Cyber‑Physical Threats
TrendAI presented research at RSAC 2026 highlighting the dual emergence of autonomous, agentic AI-driven cybercrime and systemic vulnerabilities in cyber-physical systems like EV charging infrastructure. The findings emphasize the necessity for organizations to adopt machine-speed, AI-driven defenses and comprehensive frameworks like NIST IR 8473 to mitigate these rapidly evolving threats.
Authors: TrendAI™ Research
Source:
Trend Micro
Key Takeaways
- Cybercrime is evolving toward autonomous, agentic AI-driven operations capable of handling reconnaissance, social engineering, and extortion at scale.
- Electric Vehicle Supply Equipment (EVSE) contains critical vulnerabilities, particularly at the interfaces between different systems where security controls fail to align.
- NIST IR 8473 is recommended as a comprehensive cybersecurity profile to reduce systemic risk in EV charging infrastructure.
- Defenders must adopt AI-driven, continuously operating security capabilities to keep pace with machine-speed, autonomous attacks.
Affected Systems
- Electric Vehicle Supply Equipment (EVSE)
- EV charging infrastructure
- Connected vehicles
Attack Chain
Threat actors are theorized to use layered agentic AI architectures where specialized agents autonomously conduct reconnaissance, targeting, social engineering, and extortion. An orchestration layer dynamically adjusts tactics to evade defenses. In the cyber-physical realm, attackers target the interfaces between EV charging systems where responsibilities and security controls often fail to align, allowing for exploitation of the broader mobility ecosystem.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — The article discusses theoretical AI-driven threats and EV charging vulnerabilities at a high level without providing endpoint telemetry or specific malware indicators. Network Visibility: None — No network indicators, C2 protocols, or specific traffic patterns are detailed in the text. Detection Difficulty: Very Hard — Agentic AI threats dynamically adjust tactics, and EV infrastructure vulnerabilities exist at complex system interfaces, making standard signature-based detection ineffective.
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Monitor for high-volume, highly personalized social engineering campaigns that exhibit machine-speed generation and dynamic adaptation. | Email Gateway Logs, Web Proxy Logs | Initial Access | High |
Control Gaps
- Lack of unified security controls at interfaces between EV charging components
- Traditional security models unable to operate at machine speed against autonomous AI
Recommendations
Immediate Mitigation
- N/A
Infrastructure Hardening
- Adopt NIST IR 8473 as a cybersecurity framework for EV and extreme fast charging infrastructure.
- Implement secure-by-design engineering practices for connected vehicles and charging networks.
User Protection
- Deploy AI-driven security capabilities to counter automated, high-volume social engineering and extortion campaigns.
Security Awareness
- Foster deeper collaboration among automakers, suppliers, and infrastructure operators to strengthen resilience across the mobility ecosystem.
MITRE ATT&CK Mapping
- T1589 - Gather Victim Identity Information
- T1598 - Phishing for Information
- T1486 - Data Encrypted for Impact