Author: Rob Demain, CEO & Founder
The threat model behind most security programmes has held up well for a long time. The adversary buys or develops exploits at human pace, deploys them through infrastructure that gets reused enough to be tracked, and operates through tradecraft that has been catalogued, indexed in MITRE ATT&CK, and turned into vendor detection content.
That model is roughly right for many of the adversaries organisations still face. It is not adequate for the class of adversary now operating with AI-driven vulnerability discovery, polymorphic payload generation, and infrastructure rotation at scale.
AI accelerated cyber attacks are no longer hypothetical. The threat model has to be redrawn against what is happening now.
Vulnerability discovery outpaces defender response
Mandiant’s M-Trends 2026 report puts mean time to exploit at an estimated negative seven days across its 2025 dataset. Exploitation is routinely being observed before a patch is available. Combined with Mythos-style AI vulnerability discovery at roughly fifty dollars per successful finding, the threat model can no longer assume the adversary is working primarily with vulnerabilities the defender has already seen.
Breakout times have collapsed
CrowdStrike’s 2026 Global Threat Report puts average eCrime breakout time at twenty-nine minutes in 2025, with the fastest observed at twenty-seven seconds. Mandiant reports that initial-access-broker handoff times have compressed from hours in 2022 to seconds in 2025. The window between exploitation, handoff, and lateral movement is now shorter than many security teams’ decision cycles.
Infrastructure rotates faster than intelligence feeds
Phishing-as-a-service operations, botnets, and compromised-device infrastructure shift domains, IP addresses, and routing paths faster than many threat intelligence feeds can publish and block. Threat intelligence remains valuable. But the model where an indicator is observed, published, consumed, and blocked before material harm occurs is becoming less reliable against the fastest-moving adversaries.
Payloads are less stable as detection anchors
Polymorphic generation means unique payloads per victim, per delivery attempt, or per execution path. CrowdStrike’s measurement of malware-free intrusions reinforces the same point: a large and growing share of AI accelerated cyber attacks does not centre on malware at all. The decisive evidence is increasingly identity behaviour, execution context, lateral movement, privilege use, and the sequence of events across systems.
Connecting infrastructure may itself be a victim
Recent advisories on China-nexus covert networks describe extensive use of compromised SOHO routers, IoT devices, and smart devices by state-sponsored actors, including activity associated with Volt Typhoon and Flax Typhoon. The APT28 advisory from April 2026 described Russian GRU DNS-hijacking operations involving compromised routers. The apparent source of activity may not be an indicator of the adversary. It may be another victim.
Agentic operations are now part of the model
Anthropic’s November 2025 GTG-1002 disclosure described a Chinese state-sponsored campaign in which AI performed eighty to ninety percent of operations. Google’s Threat Intelligence Group has described malware families that use large language models during execution to generate or modify functionality dynamically. AI is no longer limited to phishing copywriting. It is appearing in vulnerability discovery, orchestration, code generation, and campaign execution.
What this means for security operations
None of this means every organisation faces a fully autonomous adversary tomorrow. Conventional controls still matter. Patching, identity security, endpoint telemetry, segmentation, and detection engineering all remain essential.
The change is that these controls now sit inside a different timing model. Defender assumptions about discovery speed, infrastructure reuse, payload stability, and human response time are less safe than they were twelve months ago.
At e2e-assure, our SOC was built for this operational reality. Security cleared UK analysts working inside Cumulo, our AI native SOC platform, run threat intelligence led detection engineering tuned to behavioural patterns rather than static indicators, monitoring IT/OT environments 24x7x365.
AI accelerated cyber attacks demand security operations that match adversarial speed. The threat model has changed. The operating model has to change with it.
