The new AI-powered threat landscape is already changing in ways that security teams can’t handle with harder work or more headcount. According to the Unit 42 Global Incident Response Report 2026, which is based on more than 750 critical incidents, attackers can go from initial access to data exfiltration in just 72 minutes, four times faster than last year. Additionally, exploit scans begin within 15 minutes of vulnerability disclosure. However, AI did not create a new attack category; it removed friction from existing attack categories and shortened defender response timelines from days to minutes.
New frontier AI models bring incremental changes to functionality. Trained to write code, they are extremely adept at finding vulnerabilities, combining multiple low-severity issues into critical-level exploit paths, and analyzing the entire exposure surface of applications, including SaaS and consumer platforms. As more capable frontier AI models become widely available, attackers will be able to increasingly automate reconnaissance, vulnerability discovery, phishing campaigns, and lateral movement to a degree not previously possible for individual operators or small teams.
As Palo Alto Networks Chairman and CEO Nikesh Arora writes in Weaponized Intelligence, frontier AI models can now systematically catalog all weaknesses in an organization’s technology infrastructure at scale and non-disruptively. With the help of Frontier AI, a single attacker can now execute campaigns that once required an entire team.
What makes this moment particularly dangerous is that most organizations remain largely intact, even with outlandish and novel exploits. Instead, AI-powered attacks are rapidly capitalizing on situations that CIOs already have the ability to solve. In more than 90% of incidents investigated by Unit 42, preventable gaps in security coverage effectively enabled the intrusion. Misconfigurations, inconsistently applied controls, and excessive identity trust were more decisive than any zero-day vulnerability.
Structural problems run deeper than individual gaps. Arora wrote that in 75% of breaches, there were logs that should indicate anomalous behavior. Warning signs existed, but they were fragmented and buried in unconnected tools, and no one could see the big picture. This gap was likely manageable if the attack was performed at human speed. At the speed at which AI is soon to be achieved, it has become a major responsibility.
Siled security environments operating at human speed cannot keep up with threats that move in minutes. Integrating that infrastructure is a prerequisite for effective defense.
Fight AI with AI
The same AI capabilities that increase the speed and scale of attackers can also be brought to defense, but only within the right architecture. As Arora argues, models alone cannot provide sufficient enterprise security without underlying infrastructure, such as sensors across endpoints, network, identity, cloud, and browser, and an AI-enabled data lake that provides the context the models need.
Agent defense operationalizes such an architecture. Rather than waiting for human analysts to correlate signals across multiple tools, autonomous systems investigate alerts at machine speed, correlate data across the environment, and quickly execute containment. Revoking compromised credentials, isolating affected workloads, and blocking lateral movement no longer relies on analysts being able to respond in a timely manner.
what actually happens
Palo Alto Networks has incorporated this architecture into its AI-driven security operations platform, Cortex XSIAM. In a 15-minute keynote, Chief Product and Technology Officer Lee Klarich will discuss how Cortex ingests raw data from any source. Apply 2,900 machine learning models to detect attack behavior. Including things you’ve never seen before. Performs 1.9 billion automated actions annually through over 1,300 built-in playbooks. Organizations using this platform have seen results approximately four times faster than previous manual methods, with average repair times measured in minutes instead of days. With the AI agent built into the automation engine, Kralich expects performance to improve even further.
The window for action is open. Security teams that integrate their infrastructure, invest in AI-driven detection, and build agent-driven response capabilities will be in a much better position than those that wait for the threat landscape to force them to intervene.
Let’s see what’s possible.
