How Agentic AI Reshapes Security Economics

CISO Circle May 06, 2026 David Bianco , Principal Security Research Engineer at Cisco Talos

For years, security professionals have accepted the idea that attackers have an inherent advantage — they only need to find one way in, while defenders must protect everything. While it sounds intuitively true, the approach is also fundamentally flawed.

In the Attacker’s Dilemma, I wrote that attackers only need to find one way in. But then what? They need to execute reconnaissance, establish persistence, and move laterally without triggering a single alert. Defenders only need one successful intervention to stop attackers. Every minute an attacker spends inside your environment is a liability for them; reconnaissance costs them time and operational burden, their infrastructure is burnable, and defenders can neutralize attackers’ methods once they’re exposed.

However, this model assumes human-speed threats. AI-enabled attacks now operate at a scale and tempo that bypass these traditional constraints. Because AI agents can execute the entire kill chain in minutes, our current assume breach protocols are no longer sufficient.

To maintain the defender advantage, we need to update the strategy, moving from assume breach to assume AI breach.

/en_us/blog/fragments/perspectives-by-splunk-newsletter

Analyzing the speed and scale of AI-enabled attacks

Before we can adapt our defenses, we need to understand what we're defending against. Based on observations across the industry, AI is generally not enabling fundamentally new styles of attacks or entirely novel attacker capabilities. Traditional models such as the Cyber Kill Chain, the Pyramid of Pain, MITRE ATT&CK, and similar frameworks, remain valid lenses for understanding AI-powered threats. For example, an AI agent attempting to compromise your network still follows a typical kill chain: it must find a way in, establish a foothold, move toward its target, and accomplish its goal.

But agentic attacks introduce three dimensions that stress our current defensive models. First, attackers work in compressed timelines, completing kill chains in minutes that previously took days or weeks. Human attackers have to sleep and eat. AI agents don't. They can operate continuously, executing each stage of the kill chain as fast as your systems will respond to them.

Second, they operate at an unprecedented scale. While a human attacker can manage only a handful of concurrent sessions at a time, AI agents can operate across hundreds of assets simultaneously. They can maintain awareness about dozens or hundreds of compromised accounts, machines, or applications, coordinating across all of them in ways that would overwhelm human cognitive limits.

Finally, they have an unlimited capacity to explore your environment. Because AI agents have the luxury of both speed and thoroughness, they can methodically map relationships and test configurations to build a more comprehensive picture than a human could justify.

This doesn't mean AI attacks are undetectable. In fact, AI agents operating at scale may generate more artifacts than careful human attackers: more log entries, more network traffic, more signals. But those signals arrive faster and across a broader surface area than human analysts can understand, let alone respond to, in real time. The key insight is this:

Our defensive frameworks still apply. It’s our operations that must adapt.

How AI reconfigures the “Attacker's Dilemma”

What happens to the Attacker's Dilemma when attackers are AI-enabled?

Attackers still must complete their entire kill chain without defenders detecting and stopping them. Getting through the perimeter is not the same as achieving their objective: there's still a long sequence of actions they must take to succeed.

The Attacker's Dilemma still works in favor of defenders:

Exposure is still irreversible: When defenders identify an attacker's TTP, tool, or infrastructure, they permanently burn it. A sophisticated, AI-generated attack that teams detect once allows them to fingerprint, share, and block it globally.
Patterns are predictable: AI agents follow more predictable patterns based on their training and optimization targets. If defenders can model how malicious AI agents behave, they can intercept AI-driven attacks more reliably than human attackers.
Attackers are susceptive to detection: AI agents optimize for task completion, not detecting manipulation. A well-constructed honeypot fools an AI that a human would distrust on instinct. However, other elements shift in the attacker's favor:

Collapsed time windows: Detection opportunities still exist at every stage of the kill chain, but the window to act on them shrinks from days or hours to minutes. AI attackers have the power to traverse the entire kill chain before your morning standup. And if human analysts can’t keep pace, defenders lose their window of opportunity.

Dropped reconnaissance costs: AI agents can afford much deeper and broader reconnaissance than human attackers. The asymmetrical knowledge that once favored defenders (we know our environment; they have to discover it) narrows significantly.
Increased incident volumes: AI agents increase the sheer number of incidents across more assets. Without automation, defenders can quickly become overwhelmed. With increased workload but the same time and resource constraints, their investigations become superficial, leading to missed compromises, insufficient remediation, and, ultimately, increasingly severe breaches.

For defenders, the time window to exploit the attackers’ kill chain lasts only minutes, not days. Thus, for the Attacker's Dilemma to remain a real constraint on attackers, defenders must be able to detect and respond at machine speed.

Why adversaries are outpacing enterprise AI adoption

If both attackers and defenders can leverage AI, one might assume we're headed for a level playing field. In the long term, that is likely true. Unfortunately, structural imbalances strongly favor attackers in the short- and mid-term races to adopt AI effectively.

The barrier to AI-enabled attacks is already low. An individual with rudimentary technical skills and a modest budget can stand up a functional AI-enabled attack today. They use the AI as both tool and teacher to plan and implement entire attacks from simple descriptions of desired outcomes. This democratization of capabilities means that more attackers will enter the ecosystem, and attacks will emerge against targets that previously lacked the attention of sophisticated hackers.

Beyond the low barrier to entry, attackers have several structural advantages. For one, error tolerance tips in their favor. An attacker succeeds even if their AI fails 95% of the time. Because their marginal cost is near zero, “good enough” is a winning strategy. A defender, conversely, cannot afford a 5% failure rate without being buried in false positives or letting real attacks through.

Disparate operational overhead also works to the attackers’ advantage. An attacker's deployment timeline is an afternoon to a few days, costing hundreds of dollars at most, with no maintenance burden. An enterprise deployment takes months to more than a year, costs six figures or more, and requires integration with existing security infrastructure. Even if an enterprise wanted to move at attacker speed, it couldn’t.

Also, unlike defenders, attackers don’t have to navigate governance or compliance overhead. Enterprises deploying AI must navigate data privacy regulations, internal AI governance policies, legal liability reviews, ethics considerations, and security assessments. These regulations aren't necessarily bureaucratic obstacles, but they create friction that attackers simply don't face.

Attackers also have access to a host of unrestricted models. Commercial AI services have safety guardrails that prevent certain uses, compelling enterprises to evaluate model provenance: Did an adversarial nation-state create this model? Could someone poison the weights? What supply chain attestations exist? Attackers, on the other hand, can use jailbroken, fine-tuned models or fully uncensored models without safety training. They can also tap into underground services specifically designed for malicious use. Defenders fight with constraints; attackers fight without them.

What's more, attackers often don’t have to worry about maintenance or reliability issues. An attacker's tooling needs to work once. If it breaks tomorrow, they'll fix it or find something else. Enterprise tooling needs to work reliably across thousands of endpoints, be supported by multiple team members, be documented and easily maintained, integrate cleanly with existing workflows, be secured against new vulnerabilities, and be auditable. Attackers optimize purely for capability. Defenders must optimize for capability plus operationalizability.

And finally, AI cost is in steep decline. Inference costs continue to drop rapidly with efficiency improvements, competition, and hardware advances. The economic viability threshold for AI-enabled attacks is plummeting. While this works in favor of both sides, it’s still a short-term win for the attackers.

The fact that AI attacks are accelerating isn't speculation about a future state. Attackers can adopt AI faster, cheaper, and with fewer constraints than enterprises. And that gap may widen before it narrows.

To get the lowdown on ways to “Assume Breach” with agentic AI attackers in Part II of this series, please subscribe to the Perspectives by Splunk monthly newsletter.

Style

two-column

No results

/en_us/blog/fragments/about-splunk

/en_us/blog/fragments/perspectives-promo