CyberUK 2026 - This isn’t IT anymore

There’s a particular hum you get at events like this. It’s a low-frequency buzz of people who know each other and have a lot to catch up on and a lot of hairy challenges to figure out. 

I’ve been to a few of these over the years, but as I walked into CyberUK in Glasgow last week, it was immediately clear this isn’t a niche cyber conference anymore. It feels closer to a national security marketplace. The official theme this year was about the “next decade” and accelerating cyber defence - a nod to the fact this is the event’s 10th anniversary. You could have written that on a lanyard and ignored it, but out on the floor, in the sessions, in the side conversations, it actually held up. 

3100 attendees, 131 speakers, 175 exhibitors, 36 countries represented, 10 hours of additional networking - the last was the killer! 

If you had to bottle the mood in one word, it would be urgency. Lots of talks about faster attacks, faster escalation, faster need to respond. That theme kept surfacing, whether you were listening to a keynote, chatting to a startup, or listening in on a conversation between two civil servants trying to translate policy into something vaguely implementable (yep, former colleagues still caught in the machine!)

The government messaging leaned into that. There was a clear push to bring AI and cyber companies into the fold, not as remote partners but as part of the defensive architecture. I’ve been seeing this trend build for the last couple of years, and the UK is now definitely edging toward a model where cyber offence and defence isn’t just something government does, but something it actively co-builds with industry. If you want an example of that, check out CloudPeek who were there, making announcements and openly taking about how closely they are working with national security (caveat - I’m their Chair!)

One of the things that stood out this year was how little sugar-coating there was. The NCSC framing of the threat landscape felt sharper than in previous years. The language around nation states wasn’t veiled and countries were called out more aggressively. China’s sophistication, Russia’s hybrid warfare, and a general sense that “background cyber attacks” are now persistent, not isolated or indeed uncoordinated.

But the more interesting shift was where cyber risk is now being placed. It’s no longer just about enterprise IT. It’s energy systems, manufacturing, logistics, robotics, space, data centres. The physical world is now very much in scope. You could feel that in the conversations. Less talk about dashboards and alerts, more about continuity, uptime, and what happens when systems don’t just get breached, but start behaving unpredictably. Cyber is bleeding into resilience. And resilience, in this context, starts to look a lot like national capability and an integral part of the national security picture.

Wandering the exhibition floor is always where the real fun is. A few things jumped out.

First, AI is everywhere, but the tone has shifted. Last year in Manchester it felt like everyone was trying to bolt AI onto whatever they already had. This year, the better conversations were much more about integration from the ground up and hell of a lot more about agentic solutions. So, reducing analyst workload, improving vulnerability discovery, automating the boring but critical bits of security operations. 

Second, there’s a growing cluster of solutions that sit in the seams. Not the big platforms, but the awkward gaps between systems where risks really hide. One example doing the rounds was SilentGlass, an NCSC-developed device that secures display connections like HDMI. It’s the sort of thing that sounds almost trivial until you realise how many sensitive environments rely on exactly those interfaces. It’s a great reminder that not all valuable cyber innovation is glamorous.

Third, cross-domain and trust architecture kept coming up. Not always explicitly, but in the way people were talking about moving data securely between environments. Defence, national security, critical infrastructure, even large enterprises are all wrestling with the same problem: how do you operate across different trust levels without grinding everything to a halt? That’s not a solved problem. Which usually means it’s an investable one.

The most interesting conversations weren’t strictly cyber. They sat at the edges, both in terms of the tech, bit also where that tech physicallt resides. Cyber and AI, cyber and operational technology, cyber and space, cyber and supply chains. There was a recognition that defending a network is one thing, defending a system of systems, where software, hardware, humans and physical processes all interact, is something else entirely. You move from pure software plays to more integrated propositions. From point solutions to complicated architectures. From “keeping attackers out” to “keeping the system running even when something goes wrong”.

If you strip away all the branding, the panel sessions, the polite applause (and the odd really awkward silences), what’s my main takeaways from Glasgow?

well, the UK government is not going to build this market through a single flagship programme. It’s shaping it through standards, guidance, pressure and selective funding. That is creating a broad, slow-burn demand curve rather than a sharp spike. Cyber is still investible, but it’s definitely more established and now more akin to other regulated industries. 

Conversely, AI in cyber is real, and the bar is rising quickly. The winners won’t be the ones who say we’re “doing AI”. They’ll be the ones who can prove they are actually reducing costs, reducing time, or reducing risk in a measurable way.

And perhaps most importantly, resilience is becoming the organising principle. Not just preventing incidents, but operating through them.

Cyber is no longer being treated as a specialist domain, and it’s certainly not “just IT”. It’s being pulled into the core of how the government and industry thinks about security, economy and sovereignty.

…and that is why it’s hard to ignore this event, that and the endless cans of free Irn Bru!