AI Did Not Replace the Attacker. It Made the Attacker Faster.

Apr 28

Every few months, a new headline declares that AI has fundamentally changed cyberattacks. Boards ask about it. Vendors pitch against it. Security teams brace for a wave of AI-generated exploits that never quite arrives the way the warnings suggested.

Here is what the data actually shows.

The Breach Data Does Not Support the Panic

Mandiant's 2025 findings are direct on this point: 2025 was not the year breaches were directly caused by AI. The intrusions that defined last year looked familiar — credential theft, phishing, unpatched systems, misconfigured infrastructure, and human error. The same entry points that have dominated incident response for a decade.

Sophos echoes this. GenAI has not produced a major transformation in attacker behavior. The attack lifecycle — reconnaissance, initial access, lateral movement, exfiltration — is structurally unchanged.

This matters because panic about AI can distort where security teams spend their limited attention. When defenders prepare for a science-fiction threat, they sometimes under-invest in the mundane controls that stop the actual threats.

What AI Is Actually Doing for Attackers

That said, dismissing AI entirely would be the wrong read.

What Mandiant and Sophos both document is acceleration and scale — not replacement. Attackers are integrating AI into discrete parts of the attack lifecycle to go faster and wider, not to invent new attack categories.

Phishing and social engineering at scale. This is where the impact is most documented and most immediate. GenAI allows threat actors to produce high-volume, grammatically clean, contextually plausible phishing content without the resource overhead that previously created detectable patterns. The "Nigerian prince" tells are gone. Lure emails now read like internal communications, vendor notices, or HR correspondence. Sophos notes the increase in both scale and polish — meaning more emails, better emails, against more targets simultaneously.

Reconnaissance acceleration. AI tools help attackers process and correlate open-source intelligence faster — org charts, job postings, LinkedIn data, leaked credential sets — to build targeted pretexting faster than manual methods allowed.

Script and tool iteration. Lower-sophistication actors are using AI assistants to accelerate malware modification and evasion logic iteration, reducing the barrier to entry for certain attack patterns.

What This Means for a Small Security Team

The attacker using AI to craft a better phishing email still needs to get a credential, still needs to move laterally, still leaves indicators. The fundamentals of detection have not been invalidated. What has changed is the volume and quality of the initial lure — which means your end-user training and email filtering need to account for a higher baseline of social engineering quality.

MFA on everything internet-facing. Credential monitoring. Phishing-resistant authentication where feasible. Regular tabletop exercises that include social engineering scenarios. Threat intelligence workflows that surface active phishing campaigns targeting your sector.

The Vendor Noise Problem

There is a secondary issue worth naming. The AI-threat hype cycle benefits vendors. Every AI-powered attack claim is an opportunity to sell an AI-powered defense. Some of those defenses are legitimate. Many are rebranded existing capabilities with "AI" appended to the product name.

Your job — and the job of any good CTI practice — is to separate documented attacker behavior from marketing. When a vendor claims AI has changed the threat landscape, ask for the incident data. Mandiant and Sophos are publishing it. The answer is more nuanced than the pitch.

The Bottom Line

AI made the attacker faster and cheaper at parts of the job they were already doing. It did not replace them, invent new intrusion categories, or render your existing controls obsolete.

Take AI-enabled social engineering seriously. The phishing lure quality increase is real and documented. Invest accordingly in training and detection. Do not let the hype pull resources away from patching, credential hygiene, and the blocking-and-tackling that stops the majority of actual breaches. The fundamentals won 2025. They will win 2026 too.

ThreatSpire helps small security teams and MSSPs cut through noise — turning raw threat data into investigation-ready intelligence without the enterprise price tag.