What the industrialization of exploitation means for defenders

For decades, cybersecurity was a battle of skill. Elite attackers versus elite defenders. The rules of engagement were understood, even if the playing field wasn’t level. If you hired better analysts and bought better tools, hopefully you hardened your systems well enough and built detection capabilities that wore out the adversary’s patience. That era is over, and most security programs haven’t fully processed what replaced it. Adversarial AI has industrialized exploitation. What once required a coordinated team of technically sophisticated threat actors to manage reconnaissance, weaponization, lateral movement and persistence can now be executed autonomously, at machine speed, against thousands of environments simultaneously. Threat actors no longer need deep technical expertise. They need compute, capital and access to AI tooling — all of which are commoditized. Think about what your team used to rely on. Attackers left clues that telegraphed their presence – patterns you could learn, signatures you could catch and their campaigns moved slowly enough to track. That’s gone. Reconnaissance that took days now takes minutes . The attacks your tools were trained to recognize are being rewritten on the fly . And the coordinated human teams that once limited how many targets an adversary could hit at once? They can now be easily outmaneuvered by a single actor with the right AI tooling. Your architecture was designed for a threat that no longer exists. The problem is structural The gaps AI-enabled adversaries are exploiting aren’t primarily operational failures. They’re architectural ones. As enterprise environments expanded across cloud, OT, identity infrastructure and third-party integrations, security organizations responded by layering tools. Each new surface area got a new control, a new scanner, a new dashboard. This has created a security architecture that’s simultaneously complex and fragmented — generating enormous volumes of signal while producing limited clarity about where the actual risk lives. The specific failure modes are familiar to anyone who has worked through a real breach investigation. Controls that don’t share context mean a vulnerability scanner can flag a misconfiguration, an identity tool can flag an overprivileged account and an endpoint platform can generate an alert — none of them are able to answer the question an attacker has already answered: Can these exposures be chained into a viable path to something critical? Visibility across hybrid and multi-cloud environments remains patchwork at best; attackers move freely across boundaries that defenders frequently can’t see across. Identity exposure — overprivileged service accounts, stale credentials, misconfigured trust relationships — creates lateral movement pathways that go undetected until someone is already deep inside the environment. Alert overload causes security teams to spend disproportionate time on findings with no realistic exploitation path. None of this surprises working security professionals. What’s less widely acknowledged is that it’s not a resourcing problem. More analysts and more siloed tools, layered onto a fragmented architecture, produce more of the same. Security tools are built to detect and flag. They weren’t built to show you what an attacker sees when looking at your environment. Attackers have already leveraged automation to extend their reach. AI will enable them to exploit attack paths with unprecedented speed. So, as clichéd as it sounds, defenders need to put themselves in the shoes of attackers and adjust their approach from there. How defenders can change the equation That mindset shift starts with asking different questions. Most security programs are built around “what vulnerabilities exist?” The better question is “what can an attacker actually do with what’s in my environment right now?” That reframing has real consequences for how programs are run. Incident response speed matters, but it’s a downstream variable. The upstream question is how to make incidents caused by structural gaps and flaws less likely — which requires understanding your environment the way an attacker would, as a network of relationships that can be chained, not as a collection of independent assets and controls. Most security teams have never mapped their environment from that vantage point. Most attackers have. It also means prioritizing remediation by real exploitability rather than CVSS score or asset criticality in isolation. This is Exposure Management 101 — the “EM” in Gartner’s Continuous Threat Exposure Management framework, which provides a structure for replacing broken vulnerability management processes. Exposure Management operationalizes the “think like an attacker” ethos at scale. Security programs that prioritize real exploitability are working on the right problem. The 2025 Verizon DBIR found that the median time for edge device vulnerabilities to be mass-exploited was zero days, while organizations took a median of 32 days to fully remediate them. And separately, the average time to patch across 17 high-profile edge device CVEs was 209 days. You can’t close that gap by triaging everything equally. The defender’s actual advantage: Know thy environment There’s a version of the current threat landscape that leads to fatalism. Why invest in a fight you’re structurally losing? It’s easy to go there, but it’s the wrong read. Ultimately, I believe that defense will become equally automated — a true battle of the machines . But even before we get there, defenders have a structural advantage that no amount of adversarial AI eliminates: They operate inside the environment they’re protecting. They can see the full topology, the identity relationships, the compensating controls, the critical assets. An attacker, however sophisticated the tooling, has to discover all of that from the outside. Defenders already know it. At least they should. Most organizations have the underlying data to understand their own exposures. The challenge is synthesizing it into something actionable — seeing on a continuous basis what an attacker would see, and which paths actually lead somewhere dangerous. Start with visibility that actually crosses the boundaries your tool stack has carved out over years of reactive purchasing. Get serious about prioritization based on what’s genuinely exploitable in your environment, not what scores highest on a spreadsheet. And stop conflating compliance-driven tests with your current risk posture — they tell you what things looked like last quarter, not today. The conversations CISOs should be having at the board level should focus on whether the program running today can flag when an AI-empowered attacker has a clear path to the company’s crown jewels. The industrialization of exploitation is a genuine shift in the adversary’s economics and logistics. But the structure of the problem hasn’t changed. Defenders who understand their own environment better than attackers — and who build their programs around that advantage — are in a stronger position than the threat headlines suggest. Are you leveraging the defender’s advantage? The fast way to know this is to have your team answer the following questions: How many critical corporate assets have a validated attack path from an internet-facing entry point? How has that number changed quarter-over-quarter? What percentage of our remediation effort closed an actual path versus a theoretical finding? Do we know the ways an attacker could create an attack path to our critical assets? Are we continuously assessing all of the possible attack paths to our critical assets?” Then, if you don’t like the answers, it’s time to revisit your control architecture. The best way to avoid cyber disruption from adversarial AI is to fix the structural problems so those attack paths aren’t realized in the first place. Carpe Diem! This article is published as part of the Foundry Expert Contributor Network. Want to join?