AI is changing the game for cyber defenders. Detection needs to catch up

COMMENTARY: When Anthropic identified a large-scale campaign in which a threat actor manipulated the Claude Code agentic model to conduct reconnaissance, credential harvesting, and lateral movement across roughly 30 global targets, even succeeding in a small number of cases, the issue was not simply alert volume or tooling gaps. It was a reflection of a detection architecture unprepared to identify intent before the damage trajectory advanced.

The threat landscape has changed. Quietly and rapidly, artificial intelligence has become a force multiplier for attackers. Sophisticated adversaries now use AI to automate reconnaissance, rotate infrastructure, generate polymorphic code, and escalate privileges without triggering traditional alarms. They don’t break in. They log in, blend in, and adapt as they move.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

These aren’t theoretical concerns. AI-assisted attacks are already bypassing conventional defenses using automation, obfuscation, and legitimate tools to operate undetected. Attackers no longer need known exploits or malware. They can blend into everyday system activity and evolve mid-operation. These incidents aren’t just warnings; they’re proof that detection strategies must evolve. It’s time to rethink what detection needs to uncover, and when.

From known bad to emerging intent

Traditional detection systems, such as SIEMs, NDRs, and UEBA platforms, were built to identify known malicious patterns, signatures, anomalies, and defined behaviors. But today’s adversaries aren’t playing by those rules. AI-powered attackers mutate tactics on demand, embed themselves in encrypted traffic, leverage trusted tools in your environment, and move laterally without raising statistical flags.

This forces a hard question: can your security team recognize intent before damage occurs, or are they only responding after it’s too late?

Related reading:

Intent is the new perimeter. The difference between a legitimate user accessing a database and an attacker staging an exfiltration isn’t just in the data or timing; it’s in the sequence, progression, and context of the actions taken. That’s what legacy detection architectures miss.

Why AI makes detection more urgent, not less

Over the past year, defenders have widely adopted generative AI to summarize alerts, write detection rules, and automate playbooks. These are real gains. But they don’t solve the core detection gap. They help us move faster after a detection, but don’t change how detection actually works.

Meanwhile, attackers are leveraging AI to accelerate the attack chain. They can probe, pivot, and persist without relying on payloads or repeatable indicators. A growing class of adversaries is increasingly relying on AI-enabled tooling and automated infrastructure to remain quiet, adaptable, and difficult for legacy systems to track.

Detection isn’t dead. It’s simply overdue for an upgrade.

The cost of falling behind

Security leaders are starting to recalibrate. Gartner projects that nearly 50% of security budgets will shift toward preemptive and adaptive defenses by 2030, up from just 5% in 2024. Organizations that delay this transition aren’t just falling behind; they’re accumulating security debt that compounds over time.

SOC teams are already stretched. Alert fatigue, staffing shortages, and high false-positive rates make it hard to focus on what matters. When detection systems rely on static rules or manual tuning, defenders remain reactive, responding faster but still too late.

A better path forward

Closing the gap starts with redefining what “good” detection looks like in an AI-driven world. That means shifting from static indicators to models that understand behavior and intent as it unfolds. It also means evaluating detection not just by recall, but by trust.

Deep learning provides a path forward: models purpose-built for operational telemetry can learn how systems normally function and detect when activity begins to align with malicious goals, even in encrypted or east–west traffic. Instead of matching indicators, these models evaluate whether the sequence and context of events are consistent with legitimate workflow patterns.

For detection engineers, this isn’t about replacing their stack. It’s about expanding detection coverage with a model that complements existing tools and closes the blind spots inherent in rule-based systems. Deep learning reduces the operational burden created by continually writing and maintaining rules for known patterns, allowing teams to focus on higher-value analysis. The result is earlier signals with less engineering overhead.

From firefighting to foresight

Every SOC wants to reduce noise, triage faster, and act earlier. But the foundation for that future is not more alerts or smarter dashboards. It's a better detection. That starts with recognizing that attacker behavior has changed, and detection must change with it.

AI is now a core part of the threat landscape. The enterprises that succeed will be those that detect malicious intent before it becomes an incident. Because by the time you’re responding, the attacker may already be gone.

Let’s stop asking whether our tools fired. Let’s start by asking whether we understood what the attacker was trying to do early enough to stop it.