How AI-Powered Attacks Are Outpacing Traditional Security Defenses
AI-powered attacks now reach data exfiltration in under 72 minutes. Discover how attackers exploit AI to compress the kill chain — and what security teams must do to keep up.
Key Takeaways
- The attack timeline has collapsed: The fastest intrusions now reach data exfiltration in 72 minutes, down from nearly five hours the year prior. Periodic testing can’t keep up with that speed.
- Attackers are getting faster: AI compresses every stage of the attack lifecycle, from reconnaissance to exfiltration, giving a single operator the impact of an entire team.
- The biggest gaps are structural: Over 90% of breaches still trace back to preventable weaknesses like misconfigured access controls, excessive permissions, and unpatched public-facing applications.
The fastest AI-powered attacks now go from initial access to data exfiltration in 72 minutes.
That number comes from Palo Alto Networks’ 2026 Unit 42 Global Incident Response Report, which analyzed over 750 major incidents across 50 countries. A year earlier, the same metric was nearly five hours.
The 4x compression means the window between “something happened” and “data is gone” is now shorter than most security teams’ escalation workflows. And attackers are still early in their adoption of AI-enabled tactics. The acceleration is just getting started.
AI is changing how quickly attackers can plan, test, and execute. Security teams need to understand where those speed gains create real gaps and how to adjust their programs to keep up.
What Changed When Attackers Gained Access to AI
Between 2021 and 2024, AI in cybersecurity was mostly a defensive tool. Organizations used it for anomaly detection and malware classification. Attackers still relied on manual workflows where a human operator interpreted each result and chose the next step.
That changed when frontier reasoning models gave attackers something new: agentic systems that pursue strategic objectives autonomously. These systems coordinate multiple tools, perform reconnaissance, and update their plans dynamically as they encounter defensive barriers.
A single operator using AI agents can now achieve the impact of an entire advanced persistent threat group. The shift from manual to autonomous offense is why vulnerability exploitation became the leading cause of attacks in 2025, accounting for 40% of all incidents observed by IBM X-Force.
Now, three distinct capabilities define this new era of AI-augmented offense:
- Automated exploit development: AI can analyze vulnerability descriptions and generate working exploit code in seconds. In many cases, functional exploits appear before human security researchers finish reading the advisory.
- Dynamic malware mutation: New malware families, like PROMPTFLUX, use integrated LLM APIs to rewrite their own source code during execution. Each run produces unique variants that evade signature-based endpoint detection.
- Machine-speed reconnaissance: AI agents don’t just scan for open ports. They analyze the business context of exposed assets, map trust relationships between systems, and triage which specific vulnerabilities are reachable based on current network topology.
The Three Stages of an Attack That AI Has Compressed Into Minutes
The compression of the attack lifecycle is the most measurable trend in offensive security right now. What used to take days of manual effort now plays out in a coordinated sequence that can reach completion in under 72 minutes.
Stage 1: Reconnaissance and Attack Surface Mapping (Minutes)
AI agents perform network vulnerability assessment at a speed and depth that human operators cannot match.
They scrape Active Directory metadata, discover orphaned domains and misconfigured cloud buckets, and identify unmanaged SaaS integrations that traditional scanners miss.
Instead of reporting thousands of flaws, these agents triage to determine which specific vulnerabilities are reachable and exploitable based on the current network topology.
Unit 42 found that attackers now begin scanning for newly discovered vulnerabilities within 15 minutes of a CVE being announced. That’s often before security teams have finished reading the advisory.
Stage 2: Initial Access and the Quiet Attack Path (Minutes)
Initial access increasingly relies on identity-based techniques rather than complex malware.
Attackers request Kerberos service tickets for accounts with Service Principal Names, then crack the cryptographic material offline. This generates almost no suspicious network traffic.
In environments with integrated AI assistants, attackers embed malicious instructions in documents that a victim’s AI agent processes, forcing it to exfiltrate session tokens or sensitive data.
MFA fatigue attacks, where AI agents trigger repeated authentication requests until a user approves one, round out the identity-first playbook.
Stage 3: Lateral Movement, Escalation, and Exfiltration (<72 Minutes)
Once inside, AI agents chain small misconfigurations together with machine precision.
An over-privileged service account combined with an unpatched internal API becomes a path to the domain controller. Automated scripts collect documents and system information in real time while simultaneously impairing security controls.
The entire sequence from foothold to exfiltration now fits inside the length of a typical incident response meeting.
The Security Gaps That AI-Powered Attackers Are Actively Exploiting Right Now
That same Unit 42 report found that over 90% of breaches traced back to preventable gaps in visibility, access controls, and security coverage.
AI-powered attackers don’t need novel techniques when structural weaknesses are this common. They just find and exploit them faster than anyone expected.
The IBM X-Force 2026 Threat Intelligence Index reinforces this pattern. Attacks exploiting public-facing applications surged 44% year over year, and 56% of disclosed vulnerabilities required no authentication to exploit. Attackers are finding open doors and moving through them faster.
The following gaps are where AI-powered attackers concentrate their efforts:
| Gap Category | Why AI Attackers Target It | What Traditional Tools Miss |
| Non-human identities | Admin-level privileges with minimal monitoring | Service accounts, secrets, and agent tokens are rarely included in access reviews |
| Business logic flaws | Unique to each application, can’t be pattern-matched | Scanners detect missing patches, not flawed workflows |
| CI/CD supply chains | Trust relationships between build tools and SaaS integrations | Pipeline dependencies are outside the scope of most vulnerability scans |
Identity and Non-Human Accounts
Non-human identities like service principals, API tokens, and autonomous agents now vastly outnumber human users in most environments.
Nearly 90% of incidents investigated by Unit 42 involved identity weaknesses. These accounts often carry administrative privileges and lack the monitoring applied to human credentials, making them an efficient path for AI-driven lateral movement.
Logic Flaws and Excessive Agency
Traditional scanners find “fingerprintable” vulnerabilities like missing patches, but AI-powered attackers focus on business logic flaws, the vulnerabilities that live in how an application’s workflows actually function.
A growing concern is excessive agency, where an AI agent integrated into a business process has more authority than it needs. If that agent can delete records or call external APIs without human review, an attacker who compromises it inherits those permissions.
The CI/CD Supply Chain
Supply chain and third-party compromises have nearly quadrupled since 2020, according to IBM X-Force.
Attackers exploit the trust relationships between CI/CD automation tools and SaaS integrations, turning build pipelines into lateral movement paths. For example:
- The Novee research team discovered a CVSS 10.0 remote code execution flaw in Google’s Gemini CLI that originated in how the tool handled workspace trust in headless CI/CD environments.
- The CLI automatically trusted the current workspace folder and loaded any agent configuration it found there without human review.
- Using this exploit, an attacker could place malicious content into a repository via a pull request, and the CLI would execute it on the host system before sandbox initialization.
What Real AI-Powered Exploitation Looks Like in Production
The capabilities and gaps described above are already producing real incidents. These three cases from 2025 and 2026 show what AI-powered exploitation looks like when it reaches production environments.
- Mexican government agency espionage (2025-2026): A single operator used Claude Code and ChatGPT to simultaneously breach nine Mexican government agencies. AI compressed exploit iteration and automated reconnaissance across hundreds of servers at the same time. One person accomplished what would have previously required an entire state-sponsored team. The case was one of the first confirmed examples of AI enabling a lone actor to operate at APT scale.
- LiteLLM supply chain compromise (March 2026): The TeamPCP threat group compromised Trivy, a widely trusted security scanner, and used it to backdoor LiteLLM, an AI gateway installed across millions of developer environments. The vulnerability was assigned CVE-2026-33634 with a CVSS score of 9.4. Attackers specifically targeted the broad permissions that AI agents typically run with in development environments, exfiltrating credentials during a brief window of infection. The attack targeted the very tools organizations use to protect themselves.
- Cursor IDE zero-day (2026): Novee researchers identified a high-severity arbitrary code execution vulnerability in the Cursor IDE (CVE-2026-26268, CVSS 8.1). The flaw exposed a new attack surface: the intersection of AI coding agents and Git hooks. By manipulating these integrated workflows, attackers could force a developer’s local AI agent to execute malicious code automatically, with no user interaction required.
Each of these incidents shares a common thread. Attackers used AI to reach deeper, move faster, or exploit trust relationships that traditional security controls weren’t designed to monitor.
What Security Programs Need to Change
The sheer scale of AI-generated code is now measurable. GitHub COO Kyle Daigle revealed in an X post that the platform was on pace for 14 billion commits, up from 1 billion in 2025, with more than 275 million commits per week.
That’s a 14x increase in code volume in a single year, driven largely by AI coding agents. Every commit is a potential change to the attack surface. Every change that ships without testing is a window.
The infrastructure security teams that depend on for prioritization are buckling under the same pressure. CVE submissions increased 263% between 2020 and 2025, and NIST announced in April 2026 that only an estimated 15 to 20% of incoming CVEs will receive full NVD enrichment going forward. Organizations that rely on CVSS scores from the NVD to drive patching decisions now have a growing blind spot.
Traditional penetration testing methodology was built for environments that changed slowly and could be assessed periodically. That model doesn’t survive contact with 14x code velocity and 72-minute attack timelines. The shift that matters is from periodic assessments to continuous, risk-based vulnerability management.
Gartner predicted that organizations adopting continuous threat exposure management (CTEM) programs would be three times less likely to suffer a breach by 2026. The principle is straightforward: scope, discover, prioritize, validate, mobilize, repeat. Continuously. AI-driven offensive testing is how that cycle scales across a full application portfolio without bottlenecking on human capacity.
Continuous Offensive Testing is the Only Way to Match Attacker Speed
The patterns all point in the same direction. Attacks move in minutes, the gaps are structural and well-documented, and the systems security teams have relied on for decades, periodic pentests, CVSS-based patching, and manual triage, are not built for this speed or this volume.
Matching attacker speed requires offensive testing that runs continuously, validates every finding with proof of exploitability, and closes the loop with remediation guidance specific to your environment.
That’s exactly what Novee does using a coordinated suite of AI agents that continuously test web applications, APIs, and external attack surfaces. Every finding is independently validated with working proof of exploitability, replication steps, and evidence trails. Remediation guidance is tailored to your stack, and automatic retesting confirms the fix held. Full visibility into what was tested, what was found, and what was verified gives security teams the coverage evidence they need between audits.
The speed gap between attackers and defenders is widening. Continuous AI-driven offensive testing is how you close it. Book a demo today to see how continuous offensive testing finds the vulnerabilities attackers are already looking for.
FAQs
Are AI-powered attacks only a risk for large enterprises, or does every organization face the same exposure?
Every organization faces exposure. AI has lowered the cost of running sophisticated attacks, which means smaller targets that weren’t worth the manual effort are now profitable. Smaller organizations often lack 24/7 SOC coverage, identity governance, and dedicated cloud security staff. That combination of limited visibility and fewer controls makes them attractive to automated AI-driven campaigns operating at scale.
What types of assets or systems do AI-powered attackers tend to target first?
Identity providers, Active Directory environments, and public-facing web applications are the most common initial targets. Attackers also increasingly go after AI supply chain components like model gateways, coding IDEs, and CI/CD tools. These systems often run with broad permissions in developer environments, giving attackers access to credentials, secrets, and build pipelines once a single component is compromised.
What does an organization that has already been hit by an AI-powered attack typically do differently afterward?
Post-attack organizations typically shift to identity-first, zero-trust security postures. They prioritize governance of non-human identities, implement continuous threat exposure management programs, and deploy detection systems that can match the speed of automated attackers. The most common lesson is that periodic assessments and static controls weren’t enough to keep pace with how fast the attack moved.
