How are security teams preparing for AI-driven attacks? 

Phishing is just one part of the problem. 87% of global organisations faced an AI-powered cyberattack in the past year. While we’re seeing the sheer volume of attacks rise, we’re also witnessing a fundamental shift in how digital criminals operate.

A tidal wave of AI is transforming cybersecurity. Both attackers and defenders are accelerating their efforts, automating everything and commanding armies of bots to join the fight.

How are security teams adapting their defences to match this new reality? Can they keep up—and if so, how?

What we mean by AI-driven attacks 

AI-driven attacks go far beyond simple malware with machine learning components. We’re talking about artificial intelligence as a force multiplier—accelerating every stage of the attack lifecycle, from initial data-gathering to performing transactions.

To put this in practical terms: where a traditional phishing campaign might target hundreds of recipients with a generic message, AI-driven attacks can generate thousands of personalised emails, each tailored to the recipient’s role, interests, and recent activity. The same AI tools that help marketers personalise content are now helping attackers craft convincing impersonations. IBM’s research shows this “5/5 rule” in action—AI can create phishing campaigns nearly as successful as human experts using just 5 prompts in 5 minutes, compared to 16 hours for human experts.

If these scenarios make you uneasy, you’re not alone. These things are happening now, at scale, with readily available tools. The barriers to entry have collapsed, allowing less skilled attackers to execute sophisticated campaigns that would have required expert knowledge just two years ago.

How modern AI empowers cyber criminals 

Reconnaissance and research at scale 

Traditional recon (scanning for potential victims and exploitable systems) required attackers to manually sift through social media profiles, company websites, and leaked databases. Now, AI can parse vast datasets in minutes, automatically identifying potential targets, mapping organisational structures, and uncovering exploitable information.

AI tools can analyse thousands of LinkedIn profiles to identify employees with privileged access, cross-reference their social media activity to find personal details, and even predict when they’re most likely to be vulnerable to social engineering—all without human intervention.

Data analysis and pattern recognition 

When credential dumps or corporate data leaks surface on the dark web, AI can instantly analyse millions of records to identify reused passwords, predict security questions, and map relationships between different accounts. What once took weeks of manual analysis now happens in hours.

More concerning though is that AI can look at a company’s public-facing infrastructure and automatically find potential attack vectors. It’s smart enough to recognise patterns in configurations that have led to vulnerabilities in the past.

Deepfakes and synthetic content 

Voice cloning technology can now create convincing audio impersonations from just a few minutes of recorded speech—often found in corporate videos or podcast appearances. Attackers use these to impersonate executives in urgent phone calls requesting wire transfers or credential resets.

Video deepfakes, whilst still needing more compute than LLMs, are becoming accessible tools for creating fake video calls or recorded messages. We’ve already seen cases where attackers used deepfaked video calls to convince employees they were speaking with their CEO. The stats on AI-generated phishing show how successful it can be: these emails achieve a 54% click-through rate compared to traditional spam’s 12% success rate. Even more alarming, 78% of recipients open AI-generated phishing emails, with 21% clicking on malicious content.

AI on offence vs defence: the digital arms race 

The asymmetry is pretty striking—it doesn’t always seem like a fair fight.

Attackers can use AI to optimise for maximum damage with minimal accuracy requirements—if a phishing campaign achieves even a 10% success rate across thousands of targets, it’s profitable. Defenders, though, need near-perfect accuracy to avoid overwhelming security teams with false positives.

That said, this imbalance is driving innovation on the defensive side. 73% of organisations are now investing in AI-specific security tools, recognising that traditional rule-based detection systems simply can’t keep pace with AI-accelerated threats.

The challenge is both technological and economic. Fully AI-automated phishing campaigns perform on par with human experts whilst being up to 50 times cheaper to execute. This cost advantage means we’ll see more attacks, more frequently, targeting smaller organisations that previously flew under the radar.

How defenders are fighting back with AI 

1) Natural language security queries

Security teams are increasingly using AI to democratise threat hunting. Instead of requiring deep query language expertise, analysts can now ask questions in plain English. They might ask something like “Show me all login attempts from unusual locations in the past week” or “Find communications patterns that match known command-and-control behaviour.”

The sky’s the limit when it comes to prompting LLM-based systems. You can go into as much detail as you like, and feed an AI data through different types of media, to gain really specific answers from a mess of complex data.

This capability can transform junior analysts into effective threat hunters. Security teams can have their investigative capacity multiplied without requiring years of specialised training.

2) Automated detection building

Rather than manually crafting detection rules, AI can now generate them from natural language descriptions of threats. If you describe a new attack technique, AI can automatically create the corresponding detection logic, test it against historical data, and refine it to minimise false positives.

This dramatically reduces the time between threat intel being published and protective measures getting deployed—a really solid advantage when 70% of exploited vulnerabilities are zero-days, with an average time-to-exploit of just five days.

3) Attack simulations and adversarial exposure validation

Organisations on the front foot are moving beyond traditional penetration testing toward continuous adversarial exposure validation (AEV). According to Gartner research, 40% of organisations will have adopted formal ‘exposure validation’ initiatives by 2027.

AEV uses AI to simulate attacker behaviour continuously, testing defences against realistic attack scenarios rather than waiting for annual pen tests. These systems can automatically discover new attack paths and validate whether existing controls would actually prevent specific threats. They can also quantify the business impact of potential breaches.

Here’s how it works in practice: 

• Continuous attack path discovery: AI automatically maps potential routes through your environment that attackers could exploit, updating these paths as your infrastructure changes
• Real-time control validation: Rather than assuming your firewall rules work, AEV actively tests whether they would actually block specific attack techniques
• Breach impact quantification: The system calculates exactly what data, systems, and business processes would be compromised if particular attack scenarios succeeded
• Threat-specific testing: When new vulnerabilities emerge, AEV immediately tests whether your environment is susceptible and how quickly an attacker could exploit them
• Evidence-based security decisions: Instead of relying on vendor claims about product effectiveness, you get concrete data about what actually protects your organisation

This approach shows real proof that your security investments work (and if they don’t, that’s useful to know too). It shifts from vendor claims to data-driven choices based on actual test results.

Why is continuous testing so important 

Annual penetration tests made sense back in the day, when attacks moved slowly and predictably. Things have obviously moved on; now that attackers can breach systems within an average of 72 minutes after a user clicks a malicious link, that approach does feel a bit out of date.

Continuous pen testing makes sure that your defences evolve as quickly as the threats. Here’s what it usually involves:

• Ongoing vulnerability discovery: Regular testing across your entire estate—network infrastructure, web apps, and APIs within Azure and AWS environments—without the limitations of annual scope restrictions
• Real-time threat intelligence integration: When new vulnerabilities or attack techniques emerge, immediate testing determines whether they’re’ risks to your specific environment or not, which informs remediation priorities
• Attack path verification: Capturing compromised credentials and reverse-engineering attack chains to understand exactly how breaches could unfold and their potential impact
• Active Directory security monitoring: Identifying duplicate and weak passwords across your environment, with automated alerts triggering password resets to strengthen your security posture
• Tripwire deployment: Strategic placement of monitoring throughout your environment to detect unusual activity or unauthorised access to high-value data, with manual trigger capabilities to test incident response in real time
• Flexible testing cadence: Whether responding to specific vulnerability disclosures, supporting change release processes, or maintaining regular assessment schedules, testing adapts to your operational needs

This approach gives a real advantage for firms going through rapid change. New applications, infrastructure modifications, or staff turnover all create potential security gaps that traditional annual testing would miss.

Stay ahead of AI-accelerated threats

AI has changed the game for cybersecurity. Defenders who adapt quickly will thrive; those who don’t might struggle to keep pace with exponentially growing attack methods.

At Two Four Secure, we help organisations implement continuous penetration testing across their entire estate—from network infrastructure to web apps and cloud environments. Our approach ensures you’re not just secure today, but prepared for the threats emerging tomorrow.

 

Get in touch to find out how you can strengthen your defences against AI-driven attacks.