‘Everyone should learn to hack’: Inti De Ceukelaire on the future of cybersecurity

In 2026, we may have to revise our ideas about what hacking even is

Intigriti’s Chief Hacker Officer argues that hacking isn’t a moral failing, but an essential skill society urgently needs to democratise.

From Belgium’s government-backed hacking programme to the rise of AI-powered exploits, Inti De Ceukelaire warns that the only way to outpace cybercriminals is to empower more people to think like hackers.

De Ceukelaire, Chief Hacker Officer at vulnerability disclosure platform Intigriti, begins our interview by explaining his dislike of the term 'ethical hacker.'

"I'm a hacker," he says. "You don't visit an 'ethical pharmacist' because some people sell illegal drugs. The default should be hacker. There will always be criminal hackers, people that misuse their skills, but hacking itself is just a profession."

The logic underlying De Ceukelaire's point is compelling. If we want to disrupt cybercriminals, we can only do it by empowering hackers and creating more of them.

"If everybody was taught the basics of hacking at school, I think the world would be a much safer place," he says. "If you taught the basics, like hacking mindset, everybody would be better able to catch things like fraud. They'd be able to think like a hacker and identify and report weaknesses in other applications.

“Developers would know better how to write secure code. If everybody knew how to hack, the amount of cybercrime would drop dramatically because the good people would outnumber the malicious people."

State sanctioned hacking - but good

De Ceukelaire has a case study to prove his point, based in his native Belgium: the 'Hack the Government' programme. It mirrors the state-sanctioned hacking activity that goes in less friendly nation states, but far more positively.

"We organise a day with the Center for Cybersecurity where we have the biggest government apps and a group of hackers. It's almost a networking event. Anyone can bring a laptop, and we hack the government apps. The Prime Minister of Belgium saw the first edition in 2024 and thought it was so cool that he personally wanted to hand out the awards.

“Five years ago, everybody would have gone crazy, but we found so many vulnerabilities, and that was considered a good thing. And it is a good thing."

Those who worry about UK cyber resilience can only look enviously at a public programme which demonstrates clear-eyed, long-term policy thinking and deals with the world as it exists rather than as we might wish it to be. De Ceukelaire makes a convincing argument for its effectiveness.

"Imagine being 18 years old, finding a bug in a government system and having the prime minister of your country hand you an award. It's about that feeling of power, but also that feeling of recognition."

The decoupling of teen hacking power from positive recognition through official channels leads to that sought-after recognition coming from much darker corners of the internet, often in the form of grooming from cybercrime gangs. It's a highly combustible mix, to which generative AI is adding considerable fuel,

New year, new threats

The first concern De Ceukelaire raises is that traditional hacking requires coding - a deliberate act with a technical barrier to entry. AI can render those barriers virtually obsolete, which means IT leaders, policymakers, educators, and law enforcement may need to revise their understanding of what "hacking" means.

"I don't need to know how to write code to manipulate an AI, and I can make an AI do very funky things just by asking," says De Ceukelaire. "Whether we see it in 2026 or 2027 depends on how fast everybody integrates it, but what if normal users can just talk to an AI and make it do things like refund an airline ticket or give away gift cards? If normal end users can suddenly interact with these systems in natural language rather than code, is it still hacking?"

It sounds too easy to be true. Surely AI developers designed models resistant to such basic manipulation?

"I have tried it, and it turns out that they're still very prone to manipulation techniques."

The technique in question will be familiar to anyone who has dealt with a determined toddler. Giving a straightforward instruction often results in refusal, while offering a choice between two options tends to yield better results. De Ceukelaire says he has tested this technique on numerous LLMs and large action modes (LAMs) and it works frequently. Agentic AI has been the game-changer.

"A lot of LLMs and agentic customer service systems are linked to datasets and to LAMs, so your request is transformed into an action. By sending a request to an inbox, you can now delete your profile or maybe somebody else's profile. You can access certain data because companies want to outsource as much as possible to AI."

De Ceukelaire also believes AI will be used to mount criminal data scraping operations.

"I think scraping is going to be a bigger issue than we imagine and will take the form of indirect attacks. Location data, for example - there will be AI systems that will be very good at pattern recognition that can unmask users based on anonymous data points. Then you create privacy issues because users are no longer anonymous, and these datasets get enriched by other means."

He also describes the phenomenon he calls ‘abuseware’ - when the legitimate functionality of applications is exploited for malicious purposes.

"An example is Google Forms. You can invite somebody to fill in a form or edit a document, and this sends an email from @google.com. What a lot of scammers have been doing is using that functionality rather than sending you an email directly, so now the email server can no longer detect it efficiently."

"I also think there will be more identity verification implemented. You already see this with Meta and especially in the UK, with all the adult sites where people have to verify their ages. I think we will likely see the first breach of one of these identity datasets but also elevated extortion. An older style of attack would have been an email claiming to have a video of you. If criminals can get their hands on actual website data, they can more effectively blackmail people."

What we can do

De Ceukelaire believes we should name and recognise these challenges while guarding against the nihilistic impulse that continual data security breaches are inevitable.

"Once we get into that loop where people believe governments and institutions are not capable of fixing this problem, it becomes a self-fulfilling prophecy. I do try to be optimistic," he says.

"Relying on government isn't my favourite way of building resilience, but they can introduce new regulations. One thing that should always happen is full transparency. After a breach, every user should have the right to a full technical report of how it happened. Not finger-pointing or names, but people can only learn once we start sharing information.

"Companies should be required to look back and see what they did wrong because the typical attitude to cybersecurity is 'we'll pay the fine and move on,' but by sharing that postmortem, the reputational damage could be compounded. So that might make people take more care along the way."

In the UK, the new Cybersecurity and Resilience Bill is clearly drafted with the necessity for greater transparency in mind, though it mandates incident reporting only for operators of essential services and their critical suppliers—widening the scope of reporting, but not quite as much as De Ceukelaire would prefer.

The AI advantage: Context-aware hacking

De Ceukelaire also sees significant benefits from AI, particularly in automating routine testing to enable hackers to focus on deeper research, much of which is decidedly non-technical in nature.

"People will get more time to spend on in-depth research, testing techniques that may have been around since the 90s, but nobody ever really bothered to look at them because there's so much low-hanging fruit. The OWASP Top 10 has been the same for ages,” he observes.

“Maybe, indirectly, AI is going to shake these things up and people will be forced to find new vulnerabilities that likely require context. I think business logic flaws will be significant, but to identify those you need to invest a lot of time to understand the business."

He describes this deeper work as context-aware hacking.

"When I hack a company, I read all of the documentation, over and over, and the API documentation. And then I may spot a pattern I’ve seen somewhere else. Once you get this mental model of a company, you may start to predict some mistakes that they may have made, but that are not visible to the typical hacker.”

The future of cybersecurity won't be won through ever-higher walls and more sophisticated defences alone. It will be won by organisations that recognise security as a fundamental competency across their workforce, that embrace transparency over secrecy, and that understand the human motivations driving both attackers and defenders.

As De Ceukelaire's work in Belgium demonstrates, sometimes the most effective security strategy is to empower more people to think like hackers - before someone else recruits them to become one.