Automation has quietly changed the balance
Cyber-attacks are no longer driven only by people sitting behind screens.
Much of the activity now comes from systems reacting to systems.
Attackers use automation to scan, adapt, and act at machine speed.
Defenders respond with their own automated detection and response tools.
The result is not a battle of hackers.
It is a feedback loop of bots making decisions faster than humans can.
What “AI-powered” really means in practice
Most attacks labeled as “AI-driven” are not science fiction.
They are practical uses of automation, pattern recognition, and decision rules.
In real incidents, AI is used to:
1. Identify weak targets faster
2. Adjust tactics after failed attempts
3. Scale attacks without adding staff
4. Reduce noisy mistakes that trigger alerts
The intelligence is narrow but effective.
Where attackers use automation today
Large-scale reconnaissance
Attackers no longer scan manually.
They let systems decide where to focus.
Common tools
1. Masscan
2. Custom Python scanners
3. Cloud-hosted automation
# Fast identification of exposed services
masscan 0.0.0.0/0 -p443 --rate 10000
Results are fed into scoring systems that prioritize targets automatically.
Credential attacks that adapt
Password attacks are tuned in real time.
If lockouts occur, bots slow down.
If MFA is detected, targets are deprioritized.
Observed logic
if mfa_detected:
skip_target()
elif login_success:
escalate_access()
No human decision is required.
Using social engineering as a tool to grow
1. Language model tools assist users with writing convincing emails.
2. Adjusting Tone Based on Responses.
3. Imitating Style of Internal Communication.
4. Attackers can test multiple variations concurrently and keep the best-performing versions.
On the other hand, defenders view only the final refined variation.
Lateral Movement Based on Available Information
Once inside the organization, Bots can create a map of the potential environment and provide suggested paths.
Some Common Inputs:
1. Directory Structure
2. Permissions Graph
3. Access Success Rates
Tool: BloodHound (with automated analysis)
SharpHound.exe -c All
The system highlights the easiest expansion paths.
When defense is also automated
Most organizations already rely on automation.
Examples include:
1. EDR auto-isolating endpoints
2. SOAR platforms closing tickets
3. Cloud security tools revoking keys
4. Email gateways blocking patterns
These systems work well at scale.
They also create predictable responses.
Attackers learn those patterns.
Real-world examples
Example 1: Bot vs. email defense
1. Automated phishing campaign launched
2. Email gateway blocked initial versions
3. Language model rewrote messages
4. Later variants passed filters
Example 2: Cloud abuse throttling
1. Attackers tested API abuse limits
2. Requests slowed automatically to avoid alerts
3. Access maintained for weeks
Example 3: Automated response misfire
1. EDR isolated a server automatically
2. Business application went offline
3. Attackers waited for manual override
4. Re-entered using valid credentials
How Leadership Will Be Impacted by Use of Automation
Automation introduces risk in ways we may not be fully aware of at present.
Three Key Factors:
1. The rate of attack will outpace our ability to respond.
2. Attacks against small, misconfigured systems will occur at scale.
3. An automated defense response system is only as good as the business context it operates within.
A challenge for leaders will become not managing technology for a technical problem; it is about managing "incidents" that occur due to technology.
Common Issues for Leaders:
1. AI attacks may be perceived as rare, therefore not a current issue or are predicted to be a problem further down the line.
2. Leaders will be tempted to trust machines to respond to incidents without any human oversight.
3. Leaders may think that simply measuring success through blocked alerts will suffice and not consider the potential impact to the business.
4. Leaders have not determined the point at which a human will override a machine.
Unused automation creates additional avenues for failure.
What Does Work for Leaders
Organizations that do a good job of managing this risk use their control rather than hype as the measure of value.
Best Practices
1. Clearly defined boundaries on when automated responses should occur;
2. Frequent reviews of the types of systems that have the ability to disable services;
3. Conducting tests on the attacks that adversaries may employ on our systems.
4. Using Human Intervention in the decision processes of major impacts.
5. Creating Metrics Based on Downtime; and Data Breach Exposures.
Questions boards should ask
1. Which security actions happen automatically today?
2. What business systems can be taken offline by tools?
3. How do we test attacker adaptation to our defenses?
4. When does a human step in, and who decides?
5. Are our controls optimized for speed or for stability?
These questions surface risk faster than AI strategy decks.
AI-powered attacks are not about smarter hackers.
They are about faster iteration and scale.
When bots fight bots, the organizations that fare best are those that govern automation carefully, understand its limits, and keep decision authority aligned with business risk.
