Clear Signal
← Writing
The Hybrid

AI didn't make attackers smarter. It made your backlog more expensive.

The threat-intel headlines say sophistication. The incident data says deferred maintenance. Both the technical read and the boardroom read, in one place.

There are two ways to read the last year of AI-assisted attacks, and which one you believe determines what you fund.

The headline read is a sophistication leap: AI hands attackers capabilities they did not have, so we are now outgunned and must buy our way back to parity. It sells conference keynotes and security products. It is also mostly wrong.

The technical read

Look at what the AI actually did in the incidents, not in the press release. It wrote a more convincing phishing lure. It sped up reconnaissance. It helped a low-skill operator chain together exploits for vulnerabilities that were already public and already unpatched in the target. In other words, AI lowered the skill floor for exploiting gaps you already knew about.

That is not a new class of threat. It is the same class of threat with the friction removed. The vulnerabilities being hit are the ones in your backlog — the patch you deferred, the exposed service you meant to decommission, the identity gap from the last post. AI was the accelerant. The fuel was your deferred maintenance.

This matters because the two readings point at opposite spending. The sophistication story says buy a new detection capability. The deferred-maintenance story says the highest-return move is closing known gaps faster than attackers can now exploit them — and the cost of leaving a gap open just went up, because the pool of people who can exploit it just expanded.

The boardroom read

For the executive who does not want the mechanics: the risk did not get more exotic. It got cheaper for the attacker. The same unpatched system that was a low-probability target last year is a higher-probability target now, because attacking it no longer requires a specialist. Nothing about our environment changed. The economics of attacking it did.

That framing survives a board meeting, and it points the conversation at execution speed — patch cadence, decommissioning, identity hygiene — rather than at a shopping list.

One thing to do this week

Take last quarter’s overdue remediation items. For each one, ask a sharper question than “how hard is this to exploit?” Ask: “has it just gotten easier?” The items where the answer is yes are your re-prioritised top of the list. The work did not change. The clock did.

#AI #threat-intel #strategy
← All writing