Beyond Detection: Strengthening Cyber Resilience through AI-Driven Investigation, Response and Collaboration

Mr Vasilis Kyriazopoulos

Senior Project Manager
A person wearing a VR headset analyzes a 3D digital city with a cybersecurity alert while large data dashboards display maps and charts in the background.

© Image by ChatGPT

Digital infrastructures now support almost every part of modern society. Telecommunications, transport, healthcare, finance, public administration, manufacturing, energy and airport operations all depend on interconnected systems, distributed data, cloud services, connected devices and real-time decision-making. This digital dependency creates value, but it also increases the potential impact of cyber incidents.

The challenge is no longer limited to protecting isolated IT systems. A cyberattack can affect service availability, business continuity, personal data, operational safety, public trust and the ability of organisations to deliver essential services. For companies, the economic impact can include operational downtime, recovery costs, regulatory obligations, reputational damage and loss of customer confidence. IBM’s 2024 Cost of a Data Breach Report [1] estimated the global average cost of a data breach at USD 4.88 million, with business disruption and post-breach response activities among the drivers of increased costs. The social impact can also be significant. Cyber incidents affecting healthcare, transport, public services or communication networks can delay access to services, disrupt daily life and reduce citizens’ trust in digital systems. In sectors such as energy, water, transport and industrial production, cyber incidents may also affect systems that monitor environmental, safety or operational conditions. This means that cyber resilience is increasingly connected not only to business protection, but also to societal stability and responsible digital transformation.

Moving from fragmented protection to operational resilience

Cybersecurity teams are expected to detect threats, understand incidents, assess risks, respond quickly and coordinate with other actors. However, this is difficult in complex digital environments. Organisations often rely on multiple tools that generate large volumes of alerts, but these tools do not always provide a unified view of the infrastructure, the attack context or the most appropriate response.

According to ENISA’s Threat Landscape 2024 [2], threats against availability were among the leading cybersecurity threats, followed by ransomware and threats against data. The report also highlights that the European threat landscape is shaped by several types of attacks, threat actors and techniques, based on thousands of publicly reported incidents and events.

This creates a clear operational challenge. Detecting a threat is essential, but detection alone is not enough. Security teams also need to understand what has happened, how the incident may evolve, which assets are affected, what the business impact could be, and which response actions should be prioritised. In addition, they need to share relevant threat intelligence with other stakeholders without exposing sensitive or confidential information. The European regulatory context reflects this need for stronger resilience and coordination. The NIS2 Directive [3] establishes a unified legal framework for cybersecurity across 18 critical sectors in the EU and introduces requirements related to cybersecurity risk management, incident reporting, cooperation, information sharing, supervision and enforcement. These developments show that cybersecurity is no longer only a technical function. It is becoming a governance, continuity and resilience priority.

State of the art and current practices

Current cybersecurity practices typically combine several layers of defence. Organisations use firewalls, endpoint protection, vulnerability management, identity and access controls, Security Information and Event Management systems, threat intelligence feeds, incident response procedures and security awareness activities. More advanced organisations also operate Security Operations Centres, use automation tools and test their response through cyber exercises or Cyber Range environments.

Frameworks such as the NIST Cybersecurity Framework help organisations structure cybersecurity risk management across key functions and improve the way they understand and reduce cyber risk. NIST [4] describes its Cybersecurity Framework as a resource for helping organisations better understand and improve their management of cybersecurity risk. In Europe, the NIS2 Directive [3] reinforces the importance of risk management, reporting, cooperation and incident response across critical and important sectors.

Despite these practices, important gaps remain. Many organisations still face fragmented visibility across systems and assets. Security tools may detect suspicious activity, but analysts may still need to manually correlate alerts, evaluate risks and decide how to respond. Incident investigation can be slow, especially when information is spread across different systems. Collaboration between organisations can also be difficult because threat intelligence sharing must respect privacy, confidentiality and operational constraints.

There is also a human capacity challenge. IBM’s 2024 report [1] notes that more than half of breached organisations faced high levels of security staffing shortages, and that extensive use of security AI and automation was associated with lower breach costs in certain security workflows. This supports the growing need for tools that can assist cybersecurity teams, reduce manual effort and support faster, more informed decisions.

How CyberSecDome addresses the challenge

CyberSecDome [5] addresses this wider challenge by developing an integrated approach to cyber resilience that goes beyond simple detection. The project is a Horizon Europe Innovation Action funded under the Civil Security for Society programme, running from 1 September 2023 to 31 August 2026 under Grant Agreement No. 101120779.

The project focuses on enhancing the resilience, security and privacy of complex and heterogeneous digital infrastructures through a combination of Artificial Intelligence, Virtual Reality, Digital Twins, Cyber Range capabilities and privacy-aware information sharing. The official CyberSecDome website [6] describes the project as a Virtual Reality-based approach for intrusion detection, incident investigation and response, aiming to support real-time insights into incidents and risks, collaborative response and privacy-aware sharing of information.

In practical terms, CyberSecDome seeks to support cybersecurity teams across several stages of cyber defence. AI-enabled tools can assist with intrusion detection and prediction, incident investigation, dynamic risk analysis, automated penetration testing and adaptive incident response. Instead of treating these activities as separate processes, CyberSecDome brings them together within a broader framework designed to improve situational awareness and response capability.

A key part of this approach is the use of Virtual Reality and Digital Twin environments. Cybersecurity incidents are often difficult to understand because they involve many assets, dependencies, alerts and possible attack paths. Immersive and simulation-based environments can help security teams visualise complex infrastructures, test scenarios safely and understand the possible consequences of different response actions before applying them in real systems.

CyberSecDome also addresses the need for collaboration. Cyber threats rarely affect only one organisation in isolation. Threat intelligence, lessons learned and response knowledge can be valuable across a wider ecosystem. At the same time, information sharing must be designed carefully to protect sensitive data. CyberSecDome therefore promotes privacy-aware collaboration, supporting the exchange of useful security knowledge while respecting confidentiality and operational boundaries.

Within the project, ITML contributes to the technical development of AI-empowered security tools and leads the project’s dissemination and communication activities as Dissemination and Communication Manager. Through this role, ITML supports project visibility, stakeholder engagement, communication planning, dissemination material, newsletters, clustering activities and the wider communication of CyberSecDome’s progress and results.

Looking ahead

The future of cyber resilience will require more than stronger individual tools. Organisations will need integrated capabilities that connect detection, investigation, risk assessment, response and collaboration. They will also need solutions that help security teams manage complexity, reduce alert fatigue, test their preparedness and cooperate with trusted stakeholders.

Several directions are becoming increasingly important. First, AI and automation will continue to support faster analysis and decision-making, but they must be implemented responsibly and with appropriate governance. Second, Cyber Range and Digital Twin environments can become more widely used for testing, training and validating cyber response strategies before real incidents occur. Third, privacy-aware information sharing will be essential for building collective resilience across sectors and borders. Finally, cyber resilience should become part of wider organisational planning, including business continuity, regulatory compliance, risk management and crisis response.

CyberSecDome contributes to this direction by exploring how AI-driven security tools, immersive technologies and collaborative mechanisms can work together to support more resilient digital infrastructures. By addressing the challenge from detection to investigation, response and cooperation, the project reflects a broader shift in cybersecurity: from defending systems in isolation to strengthening the resilience of interconnected digital ecosystems.

To stay informed about the project and its latest activities, visit the CyberSecDome website, follow the project on LinkedIn and X, and subscribe to the CyberSecDome YouTube channel.

CyberSecDome website: https://cybersecdome.eu/

LinkedIn: CyberSecDome – EU project

X: @cybersecdome_eu

YouTube: @CYBERSECDOME-EUproject-2023

This project has received funding from the Horizon Europe Framework Programme under Grant Agreement No. 101120779. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the European Commission can be held responsible for them.

References

  1. Cost of a data breach 2024: Financial industry | IBM
  2. ENISA Threat Landscape 2024 | ENISA
  3. NIS2 Directive: securing network and information systems | Shaping Europe’s digital future
  4. Cybersecurity Framework | NIST
  5. CyberSecDome | Project | Fact Sheet | HORIZON | CORDIS | European Commission
  6. Home page – CyberSecDome