As generative artificial intelligence (AI) redefines both innovation and cybercrime, Google finds itself defending a new digital frontier. At the center of this effort is Gemini, the company’s powerful AI model, which has increasingly become a target for state-sponsored attackers.
For Jayce Nicols, Director of Intelligence Solutions at Mandiant, part of the Google Threat Intelligence Group (GTIG), the focus has shifted from preventing the next breach to anticipating how adversaries will leverage the same technologies. “We’re going to see major, major disruption over the next few years,” he says. “The technology is improving so fast, and that’s going to make big changes for both cyber offense and defense.”
Nicols joined Google as part of its acquisition of Mandiant and now helps lead GTIG—a fusion of Mandiant’s on-the-ground response teams and Google’s Threat Analysis Group. “We kept the Mandiant Intelligence Group intact when we came over,” he explains. “And now we help ensure that our expertise appears directly in the products.”
One of those products is Gemini, a defensive platform that also presents a growing liability if not properly protected. According to Nicols, adversaries are already using AI to enhance their operations: “They will definitely be using it.” These use cases are practical, though not glamorous—generating phishing lures, translating messages, summarizing reports on targets, or writing malicious code. “In a way, it’s more boring than you might expect,” he says. “They’re automating basic work. It’s productivity enhancement for them.”
In some instances, actors have even tried to use Gemini to probe Google’s own defenses. However, Nicols insists the model’s built-in protections are effective. “Gemini is pretty good about detecting when they’re doing that and blocking it.”
The real advantage, Nicols argues, lies in how intelligence is operationalized across Google’s scale. Threat data from Mandiant flows into systems like Safe Browsing, Workspace, and Cloud, enabling protection to be deployed across billions of endpoints in near real time. “All the intelligence that we collect, they utilize that to help protect those systems,” he says. “If we see malicious activity here, then anytime we see it again, we can protect against it across the fleet.”
This constant loop of detection and adaptation is what Nicols calls “living threat intelligence.” It’s powered by Mandiant’s unique visibility into what happens when everything else fails. “We go in when all the defenses failed,” he explains. “You see how the attacker got in, how they moved laterally, what they exfiltrated—and what they tried to do with it.”
That frontline knowledge is continuously fed back into product logic, enhancing Google’s ability to respond to evolving threats.
As tools become more secure, attackers are increasingly targeting users—particularly their identities. “Identity is the new endpoint. And authentication is the new execution,” Nicols warns. In cloud-native environments, attackers no longer need malware. They steal tokens or login credentials and use legitimate platforms like Google Docs or Calendar to move around unnoticed.
“If you log in as me, how does the system know you’re not me? Anything you ask for won’t seem suspicious,” Nicols explains. His solution is straightforward: eliminate exceptions. “Have phishing-resistant multi-factor authentication on every system, with no exceptions. We’ve seen cases where 99% of systems were protected, but the attacker went through the one account that wasn’t.”
This identity-focused approach is central to Google Cloud’s Cyber Shield, where Mandiant collaborates closely with engineering teams to create and deploy detection rules based on fresh threat intelligence. “When we find threat activity we haven’t seen before, we create and deploy detection rules that go into the security operations platform that protects Cyber Shield customers,” says Jayce Nicols.
“It’s like doing a database merge between threat intelligence and live telemetry. We can match all that at scale in a way you could never do manually,” he explains. Cyber Shield also includes a service layer—Mandiant analysts work directly with clients to operationalize these insights. “It’s not just product. It’s software plus services.”
Among the most troubling trends Nicols tracks is the use of deepfake identities by North Korean operatives to infiltrate tech companies. “These are software engineers from North Korea getting hired remotely. Ninety percent of their paycheck goes to the government,” he explains.
Backed by generative AI, these actors create fake resumes, prepare for interviews, and even use manipulated video to mask their identity. “They’re even using deepfakes during interviews to change their appearance,” Nicols adds. Once hired, they may work undetected for months, quietly exfiltrating data.
Looking ahead, Jayce Nicols is particularly focused on the rise of autonomous AI agents—software systems capable of performing actions and making decisions across platforms. For defenders, this introduces a new type of asset to secure. “AI security is cloud security,” he says. “If agents are calling tools and authenticating to systems, you need to know what they’re doing and how they’re protected.”
For Nicols, the path forward is already clear. “We’re definitely at the edge of a new frontier.”
Related article: Why Google Cloud believes security is its greatest differentiator
Las Vegas ― At Google Cloud Next ’25, the company positioned security not as a feature, but as a foundational differentiator—one built from the ground up through its artificial intelligence expertise, cloud-native architecture, and integrated threat intelligence. In a cloud market where hyperscalers compete on scale and cost, Google Cloud aims to win on trust.
Google Threat Intelligence Group, formed through the integration of internal security data with Mandiant’s deep expertise, offers unmatched visibility into global threats. These insights are operationalized directly in Google Cloud’s tools—from real-time detection to policy recommendations. READ MORE
Editor’s Message
Dear readers, please note that The Readable will pause publishing new stories from April 25 to May 14 as we focus on editing our upcoming quarterly magazine.
