AI in Cyber Attacks: What’s Actually Changing for Defenders

When clients ask me where AI is changing the cyber threat landscape, my answer usually surprises them. It’s not the science-fiction scenarios. It’s the volume and polish of the everyday attacks (phishing, social engineering, vulnerability discovery) happening at a speed that traditional security operations weren’t built to handle.

This piece looks at what’s actually changing in AI-powered cyber attacks, and what defenders should be doing about it.

What’s actually changing

The attack techniques themselves haven’t changed dramatically. Threat actors are still phishing, scanning, and exploiting weak identity controls. What’s changed is the cost and speed of doing all of that.

A few things I keep seeing in client environments:

  • Phishing quality has jumped. The old telltale signs of a phishing email (broken English, odd phrasing, generic greetings) are largely gone. Email content is well-written, contextually relevant, and often references real internal events scraped from open sources.
  • Reconnaissance is faster. Tasks that used to take a determined attacker days, like mapping an organisation’s tech stack or identifying high-value targets, can now be automated end to end.
  • Vulnerability discovery is being industrialised. Once a CVE is published, the gap between disclosure and broad exploitation has shortened materially.

Where most organisations are caught short

In my experience, the gap isn’t usually a missing tool. It’s how the existing tools are tuned, and how quickly the SOC turns an alert into a decision.

Three areas worth a look:

  1. Detection coverage. Are your detections written around behaviours (privilege escalation, lateral movement, anomalous data access) or are they still mostly signature-based? Behaviour-driven detections age better against fast-moving threats.
  2. Alert-to-action time. It’s not enough to detect early if the alert sits in a queue for hours. Triage automation, enrichment, and clear runbooks matter more than they used to.
  3. Email and identity hygiene. With phishing quality this good, multi-factor authentication, conditional access, and sensible mailbox protections do more practical work than any SIEM rule.

A practical place to start

If I were advising a CISO on a single quarter’s work, I’d focus on three things. Get a clear picture of what the SOC actually sees and doesn’t see. Identify the top five detections that fire most often and ask honestly whether they’re producing value or just noise. Cut the ones that don’t earn their place and put that effort into behaviour-based detections that match the way attacks now run.

For Splunk customers, this is also a good moment to revisit your data sources. AI-era threats produce signals that aren’t always in the obvious places. Identity systems, EDR, and SaaS audit logs often hold the early indicators that network logs alone won’t reveal.

A real-world observation

A client we worked with recently had strong tooling but a detection set that hadn’t been seriously revisited in two years. Tuning out the noise and rewriting a handful of behaviour-based detections cut their average alert volume by around 40 per cent without losing any meaningful coverage. The SOC went from drowning to deciding.

Summing up

AI-powered cyber attacks aren’t a separate category. They’re the same attacks you’ve always defended against, running faster and reading better. The good news is the defensive playbook hasn’t fundamentally changed. The investment now is in tuning, behavioural detection, and getting alerts to action quickly.

If you’d like a second opinion on your detection coverage or where AI is shifting your threat model, get in touch. We are always happy to have the conversation.