How AI Is Changing the Threat Landscape

AI changed how attacks are structured, how fast they move, and how much they look like legitimate activity while underway. The three shifts every MSP needs to understand right now:

• The window to respond is compressing. Breakout time, the interval between initial access and an attacker moving to other systems, is now measured in minutes in many cases. Exploit timelines are shrinking. The gap between "something happened" and "damage is done" is smaller than it's ever been.
• Attacks look legitimate by design. Stolen credentials and trusted admin tools have become the primary entry path. Attackers aren't triggering malware alerts. They're logging in with valid usernames and passwords, then using the same remote tools your engineers use every day.
• Volume is the enemy. AI lets attackers probe and personalize at scale. Generic, broad-spectrum detections respond by firing at scale too, producing more alerts, more triage, and more noise that buries the signals that matter.

The organizations and MSPs navigating this environment well are getting better context, faster.

What AI Changed for Attackers

The conversation about AI in security tends to drift toward the dramatic: autonomous hacking agents, models writing zero-days from scratch. The more immediate shift, however, is less cinematic and more dangerous precisely because of how mundane it looks.

Anthropic's own red team research confirmed earlier this year that their Mythos model autonomously identified and exploited a 17-year-old remote code execution vulnerability in FreeBSD, with no human involved after the initial prompt. Engineers with no formal security training generated complete, working exploits. Against patched Firefox vulnerabilities, the same task produced 181 working exploits, compared to two from the previous generation model. And through Project Glasswing, Anthropic and approximately 50 partners used Mythos to find more than 10,000 high- or critical-severity vulnerabilities across critical software infrastructure, including over 1,700 confirmed criticals in open-source packages alone.

Anthropic has noted that the bottleneck is no longer finding vulnerabilities. It's the human capacity to triage, disclose, and patch them. Some open-source maintainers have asked Anthropic to slow its disclosure rate because they can't keep up. If that's the reality for dedicated security teams, it's an even harder problem for MSPs working through change advisory boards, change control processes, and patch testing cycles with the same headcount they had last year. Exploitation will outpace that process. That's not a criticism. It's the new math, and it changes what "good security posture" means.

It’s important to note that this isn't a single-model event. Independent researchers confirmed that the headline results were largely reproducible using cheaper models working in parallel. Other frontier labs are approaching comparable capability. Open-weight models with no access controls are already widely available. And in May 2026, Google confirmed attackers in the wild using an unidentified AI model to discover and attempt to exploit a zero-day vulnerability. The vulnerability discovery acceleration is a trend baked into the general trajectory of AI, and it's not slowing down.

The volume of new vulnerabilities and viable exploits is going to increase, sustained and sharply, for the foreseeable future. Patching cycles that were already under pressure are about to get more so. Incident response volume is expected to grow with it.

What that means operationally is that attack surface area management matters more than it ever has. Every unpatched edge device, every over-permissioned account, every legacy VPN granting flat network access on a valid password significantly reduces your risk.

How These Attacks Play Out in the Real World

The AI acceleration story is most visible when you look at how actual intrusions unfold. Three patterns are dominating the current threat environment.

Ransomware via credential theft and trusted tool abuse

Initial access typically comes through stolen credentials or MFA token theft. From there, attackers move quickly toward the fastest path from compromised account to admin control. Domain controllers, backup systems, RMM tools, and SaaS portals become the high-value targets in the recon phase.

What makes this hard to catch isn't the sophistication of the tooling. It's that attackers deliberately use the same tools your team uses: RMM platforms, PowerShell, PsExec, and remote admin consoles. They blend in with normal IT activity. Activity that looks like administration is administration, until you have the identity, device, session, and behavioral context to know otherwise.

The endgame is extortion at multiple layers: data encrypted, data stolen, customers threatened, and regulators notified.

Business email compromise and financial theft

The BEC playbook has always been about patience and impersonation. AI has made both cheaper. Attackers compromise Microsoft 365, Google Workspace, or identity provider accounts, again usually via credential theft, and spend time understanding the environment before acting. They read mailboxes. They map payment workflows, vendor relationships, and executive communications. They set up inbox rules to hide their activity and wait for the right moment.

When they move, they're not sending obvious phishing emails. They're inserting themselves into existing threads, impersonating real vendors in active payment conversations, and redirecting wire transfers with the full context of a legitimate business relationship behind them. The message looks right because it's built from real intelligence.

RMM compromise and MSP-targeted attacks

When an attacker compromises an MSP's RMM tooling or administrative credentials, they get a path to every client that tooling touches.

The access pattern looks indistinguishable from legitimate MSP administration. Attacker-controlled remote agents get deployed as if they were approved software. Known tools get rebranded to look like trusted platforms. From there, keyloggers, credential theft, and lateral movement across multiple tenants follow quickly.

Why Traditional Detection Struggles Against AI-Enabled Threats

The common thread across these three patterns is that they're designed to evade the way most organizations look for threats. Signature-based detection doesn't fire on legitimate admin tools. Rule-based alerts don't flag a valid login from an attacker using stolen credentials. And when every step looks benign in isolation, the only way to see the attack is to correlate across identity, device, network, and behavioral signals simultaneously.

This is where the detection gap lives, and where AI-enabled attacks have the widest advantage over conventional security stacks.

The answer isn't more alerts. A single compromised account might generate dozens of individually low-confidence signals before anything escalates: a login from a new location, a new device, a forwarding rule, a file access. Presented as separate alerts, each gets triaged, deprioritized, or ignored. Correlated against a behavioral baseline with full session and identity context, they're a clear intrusion in progress.

For MSPs managing this across dozens or hundreds of client environments, the math gets harder fast. The volume of low-signal alerts from AI-accelerated attack attempts is already straining teams built to handle a slower, more manual triage process.

What changes the math is replacing isolated rule-firing with cross-domain correlation. Connecting identity, endpoint, network, and cloud signals into behavioral models distinguishes real IT activity from attacker-controlled tools, and surfaces high-confidence cases instead of individual events. When a new AnyDesk installation appears on a workstation and is immediately followed by a long-lived outbound session, that's not a separate endpoint alert and a separate network alert. It's one story, and it needs to read that way.

Reducing that blast radius before detection even kicks in is the other half of the equation. Internal segmentation, enforced through SASE and LAN ZeroTrust (LZT), limits how far an attacker can move once they're inside. Even when credentials are valid and tools are trusted, segmentation constrains lateral movement to only the resources a user or device should be able to reach. It doesn't stop the initial compromise, but it buys time, shrinks the damage surface, and gives detection the opportunity to catch up before the attacker reaches the assets that matter most.

The Supply Chain Dimension

The most efficient target isn't a single organization. It's the one with access to hundreds of them. IBM X-Force's 2026 reporting documents that major supply chain and third-party breaches have quadrupled over five years. North America is now the most-attacked region by incident volume, accounting for 29% of all X-Force IR cases in 2025, up from 24% the year before.

The 2026 incident record reflects that trend. ShinyHunters ransomware hit Instructure, the company behind Canvas LMS, in May 2026: 9,000 schools, 275 million records, 3.65TB of data. In the same window, Trellix had its security tool source code accessed by attackers. When attackers get source code for a security product, they get a map to its weaknesses.

For SMBs and mid-market organizations served by MSPs, supply chain risk is often invisible until it isn't. The vendor they trust, the platform they depend on, the tool their MSP uses to manage their environment all can be the entry point. Visibility into third-party risk, and the ability to detect anomalous behavior originating from trusted sources, is no longer optional.

What AI-Ready Means

94% of organizations in the WEF's 2026 Global Cybersecurity Outlook named AI as the biggest cybersecurity force shaping this year. 87% flagged AI vulnerabilities as the fastest-growing risk category. These numbers reflect where security leaders have landed after watching the first wave of AI-enabled attacks play out.

Businesses must build defenses with the right architecture for this environment: one that limits the attack surface so there's less to exploit, detects based on behavior rather than known signatures, and correlates across domains rather than triaging in silos.

For MSPs, that means being able to answer a question clients are increasingly asking. What does AI-ready look like?

Todyl is built to answer that question. The Detection & Analysis Engine (DAE) builds behavioral models at the user and device level, enabling earlier detection of anomalous activity even when attackers are operating through valid credentials and trusted tools. Cross-domain correlation turns weak signals into high-confidence cases. SASE reduces the attack surface and limits the blast radius of stolen credentials before an attacker gets a foothold. And Managed Extended Detection and Response (MXDR) delivers 24/7 expert response with analysts who have the full context of identity, session, host, and incident.

The threat environment is moving faster than it ever has. The MSPs and organizations positioned to manage it aren't the ones with more tools. They're the ones with better correlation, smaller attack surface areas, and a detection model built for how attackers operate.

See how to defend against AI with Todyl.