Strategic Discussion: Commercial Cyber Intrusion Capabilities (CCICs) have become a defining feature of today’s cyber threat landscape. Developed and sold by private companies but used by a wide range of state and non‑state actors, these capabilities can blur the line between responsible and irresponsible cyber activity. Their global availability, incentivisation, and uneven standards of accountability, precision, oversight and transparency create real risks: to victims, to international stability, and to the defenders tasked with detecting and responding to abuse.

This workshop will explore how we can respond more effectively to this challenge by working differently. Attendees will examine how cross‑sector collaboration can create an “aggregate advantage” that outperforms isolated action. Through facilitated discussion and interactive exercises, participants will contribute ideas on how to deliberately combine capabilities such as vulnerability research, threat intelligence, forensics, policy expertise, victim support, and shared telemetry. The session is designed to be participatory, drawing on the collective experience in the room to identify practical models for collaboration and coordinated response. Bringing together government, industry, civil society, and the technical community.

The discussion is grounded in recent real‑world examples where distributed teams of investigators, analysts, NGOs and journalists have acted in parallel to expose irresponsible actors, illuminate advanced intrusion capabilities, and provide tangible indicators of compromise to support victims. It also builds on the momentum of the Pall Mall Process, now in its third year, which has helped establish a shared framework for responsible behaviour in this space, led by the UK and France.

By the end of the workshop, participants will have helped shape thinking on what effective, responsible partnership looks like in practice, and how we can better detect, deter and respond to irresponsible behaviour. Insights from the session will directly inform ongoing work across the NCSC and FCDO, helping to define future approaches to commercial cyber intrusion tools and the ecosystems that sustain them.