Collapsing grace period: When your adversaries never tire

Until recently, the economics of advanced exploitation kept the pool of capable threat actors relatively small. Discovering novel vulnerabilities, writing reliable exploit code, and operationalising the result demanded time, specialised expertise, and capital. Few groups had all three. Most organisations were afforded a quiet grace period, with room to defer hardening, carry technical debt, and tolerate imperfect patching cadence without falling victim to a worst-case adversary. AI is subsidising that cost, and the grace period is collapsing.

Despite this, AI is yet to foster novel attack vectors with practical application. It has made existing tradecraft cheaper, faster, and accessible to threat actors who could not have practiced it five years ago. Prompt injection and other model-specific risks sit outside the established attack surface and are not where the enterprise is losing meaningful ground.

Extortion has also changed shape, with groups increasingly abandoning file encryption or never having adopted it. Without domain or hypervisor compromise, encryption rarely affects enough of the estate to compel payment, and those intrusion playbooks are well-rehearsed enough that EDR reliably disrupts them. Backup improvements have blunted encryption's impact further, making pure data extortion a more effective model for many groups. Exfiltrating sensitive data and threatening publication requires far less intrusion footprint, with regulatory penalties, civil exposure, and reputational damage providing strong leverage without an outage that would force the matter into the open, and groups routinely hold that position for weeks before the public knows. Payment compliance has softened in parallel, with Chainalysis tracking claimed attacks growing 50 per cent in 2025 while victim payment rates fell to a record low of 28 per cent. Operators have responded by concentrating on larger targets where the cost of disclosure is highest, with the median payment rising to USD 59,565.

What the data already confirms

The collapsing grace period is already evident in incident response data. CrowdStrike reporting shows the average eCrime breakout time fell from 48 minutes in 2024 to just 29 minutes in 2025, with the fastest observed intrusion moving laterally in 27 seconds. Mandiant's 2026 M-Trends puts mean time-to-exploit for disclosed vulnerabilities at negative seven days, meaning the average flaw is under active exploitation a week before its patch ships. Eighty-two per cent of detections across CrowdStrike's telemetry are now malware-free, and identity weaknesses appear in nearly 90 per cent of Unit 42's investigations. Identity has become the practical security boundary, with adversary effort concentrating on the authentication flows and the trust relationships encoded in service accounts, OAuth grants, federated identity configurations, and third-party integrations.

Expel's recent analysis of HexagonalRodent is a practical example of where AI is influencing adversary productivity. The DPRK-aligned group frequently targets Web3 developers, lures them with fake job offers, and ships "take-home" coding assessments backdoored with malware. Front companies are stood up on Anima with AI-generated executive headshots and matching LinkedIn profiles. ChatGPT and Cursor mask the operators' weaker English and shaky technical fundamentals enough to pass live coding interviews and, in some cases, hold full-time remote engineering roles for months, exfiltrating source code, signing keys, and credentials. Three months of activity netted around USD 12 million in wallets from more than 2,700 developer systems. None of it required novel exploitation. It required running a familiar playbook at far higher quality and volume than was previously affordable.

I still believe the broader AI threat narrative should be treated with measured scepticism. Vendors lining up IPOs and carrying infrastructure commitments they need to justify have every reason to amplify the threat, and their prescribed remedy is always more AI spend. There is a consistent gap between what gets demonstrated in marketing and lab tests and what shows up in incident data, and organisations that let vendor framing drive their priorities risk over-investment in AI-specific controls while foundational gaps go unaddressed.

Inherited trust, inherited exposure

The most concentrated exposure today is the software supply chain, and the mechanics are the same whether you are pulling a package from a public registry like npm or PyPI, or running compiled enterprise software shipped by a vendor. Trust flows from the build environment, the maintainer or vendor, and the signing key or publishing token, and a compromise of any link inherits that trust everywhere downstream. Slopsquatting is a related failure mode. AI coding assistants hallucinate package names in generated code and dependency files, threat actors register those exact names on the registry, and developers blindly pull those packages straight into their builds.

TeamPCP continue to demonstrate these mechanics across security tooling and developer package vendors, with each wave enabled by the credentials stolen in the one before it. It started in late February, when a bot harvested a privileged token from a misconfigured GitHub Actions workflow in Aqua Security's Trivy. Aqua's initial remediation was incomplete, and the actor retained access through a service account. On 19 March the actor force-pushed 76 of 77 version tags on the official trivy-action, redirecting pinned references across more than 10,000 downstream pipelines to malicious commits. The stealer ran ahead of the legitimate scan, so build output looked normal while cloud credentials, SSH keys, and Kubernetes tokens were exfiltrated.

The Salesloft compromise of August 2025 relied upon similar mechanics, but the target was SaaS. Threat actors compromised Salesloft's Drift integration, which held pre-established OAuth trust relationships with downstream Salesforce tenants. The stolen tokens carried pre-authorised access, making the victims' MFA posture irrelevant. They automated data exfiltration across hundreds of connected instances, then scanned the exported data for embedded secrets. The trust you extended to that integration doesn't expire when the vendor is compromised. It travels with whoever holds the token.

Slow is no longer a strategy

None of this calls for a new defensive playbook, just ruthless execution of the existing one. Almost every control we rely on assumed an adversary that could be slowed down, and that assumption fails against tooling that does not tire. The controls that hold up are the ones that stop an action rather than slow it down.

Time-to-exploit measured in negative days renders your patching cadence meaningless, shifting the unit of work from discrete patch to rolling release. KEV-listed issues must be treated as live emergencies, and internet-facing systems updated within hours rather than when your next change control meeting decides. Edge appliances are the hardest case, where vendor patch timelines and operator change windows both lag the threat, and compensating controls must absorb what the patch cycle cannot. For everything outside the KEV list, EPSS provides a daily-updated exploitation probability that converts an unmanageable backlog into a ranked queue. At this speed of exploitation, the approval window is the exposure.

Domain controllers, certificate services, and the Entra ID control plane are the terminus of nearly every credential-based intrusion, and most environments have more paths to them than their owners realise. Just-in-time access through Entra PIM eliminates standing privilege entirely, bounding the theft and relay window to active elevation sessions. Dedicated Tier 0 accounts, Privileged Access Workstations, and GPO-enforced login restrictions keep those credentials off lower-tier systems. Conditional Access binds authentication decisions to device posture and sign-in context rather than credential validity alone, and continuous access evaluation narrows the window where a stolen session token remains valid. The credential becomes a diminishing asset at every stage an attacker might try to use it.

Microsegmentation confines a foothold to the segment it lands in rather than letting it propagate toward the systems that matter. Once those controls are in place, the execution layer becomes the final chokepoint. Application allowlisting enforces a default-deny posture over what runs, and ringfencing governs what even approved applications can reach, so a compromised but allowlisted process cannot escape its expected interaction boundary. Living-off-the-land gets expensive when the land is tightly governed.

The supply chain demands the same discipline at every trust boundary, whether the organisation ships software or only consumes it. Dependencies need continuous review with tooling like Socket.dev or Sonatype, so a poisoned package gets flagged before it enters any of your environments. OAuth grants and SaaS integrations need audit at the same cadence and rigour as Active Directory privilege, because they have become comparable paths to your data.

Every organisation in the incident data had a security program. The tempo in that data is already difficult, and what adversaries are building toward is harder. Your undoing is not a lack of strategy, but the gap between the controls you planned and the ones actively stopping attacks across your organisation.