
Opinion
AI isn’t creating super-hackers. It’s scaling less-skilled attackers
As automation lowers the barrier to cybercrime, the real defensive test is detecting attacker behavior faster, not chasing the next shiny product.
The cybersecurity industry is preparing for the wrong AI threat.
The loudest conversation imagines AI as a superhuman hacking machine: autonomous agents breaching organizations in seconds, finding every zero-day, and creating a new class of attacks that existing defenses cannot understand. Some of that may come. Some of it is already possible in narrow or controlled settings. But for organizations defending real environments today, the more urgent shift is less cinematic and more practical.
AI is not mainly creating a new species of attacker. It is making less-skilled attackers faster, cheaper, and more effective.
That distinction matters because it changes how companies should defend themselves. If the threat is framed as a mythical AI super-hacker, the instinct is to buy the next shiny product and hope it solves a new kind of problem. If the threat is a much larger pool of attackers using automation to run familiar playbooks at scale, the answer is different. Companies need to get much better at seeing what attackers are actually doing inside their environments.
AI has lowered the barrier to entry. Tasks that once required years of technical experience can now be assisted, accelerated, or partially assembled by generative tools: writing code, modifying scripts, understanding exposed systems, personalizing phishing messages, and automating parts of an attack workflow. A person who would once have been too inexperienced to operate effectively can now get help from the machine.
That does not make the machine magic. It changes the economics of cybercrime. A recent Huntress report, shared with Axios, described a 1,380% increase in device-code phishing attacks by one phishing-as-a-service operation in the first four months of 2026 compared with the second half of 2025. The important detail is not only the number. It is the operating model: subscription kits, automated workflows, AI-generated content, and criminals with limited resources gaining access to tactics that once required more skill.
Academic research points in the same direction. A 2024 study that tested AI-generated spear-phishing emails on human subjects found that fully automated AI emails performed on par with emails written by human experts. The lesson is not that AI has invented deception. The lesson is that it can produce convincing deception at lower cost and larger scale.
In one reported case involving Mexican government agencies, researchers described attackers using AI coding tools to support a campaign that would once have required a larger and more technically capable team. The details of any single incident matter, but the broader pattern is already visible: AI allows smaller, less specialized groups to do more work, move faster, and process more information than before. That is the real change: not one perfect machine attacker, but many more imperfect human attackers with better tools.
The entry point is often still not exotic. In many breaches, the first move is familiar: a fake email, a stolen credential, a user tricked into approving access, or a legitimate tool abused for a malicious purpose. AI makes those attempts easier to write, cheaper to personalize, and faster to repeat. It does not need to invent science fiction to create damage.
This is where the hype becomes dangerous. When every budget conversation starts with AI-driven hype, organizations can start defending against the version of the threat that is easiest to market rather than the version most likely to hurt them. They prepare for autonomous attackers while underinvesting in the basic ability to detect credential abuse, suspicious movement, abnormal access patterns, and attacker behavior across identity, endpoint, cloud, and SaaS environments.
AI systems do need security. They are software systems with inputs, outputs, permissions, integrations, data flows, and users. They can be abused, manipulated, and misconfigured. But treating AI as an alien category can lead companies to overcomplicate the problem. Much of the risk still passes through the same organizational surfaces security teams already know: identities, applications, endpoints, cloud services, and human trust.
The same logic applies to vulnerability management. Patching matters. No serious security team should ignore it. But patching faster cannot be the whole answer. There will always be more vulnerabilities than any team can fix immediately, and attackers do not need to wait for the perfect zero-day if a stolen credential, a convincing message, or a legitimate admin tool gets them where they want to go.
Organizations should assume that at least one defensive layer can fail. That is not pessimism. It is how defense works. The wall matters, but the wall is not the end of the story.
Getting in is only the beginning. An attacker still needs to understand the environment, move between systems, find valuable data, escalate access, maintain persistence, and get information out without being stopped. That activity creates signals. The question is whether the organization is looking for them.
This is where detection becomes more important, not less. Detection is often treated as a technical function buried inside security operations, but it is really an operating discipline. It has two parts: visibility and logic. Visibility means knowing what is happening across the systems that matter. Logic means knowing which behaviors should make the organization stop and ask, “Is this an attacker?”
The right response to AI-assisted cybercrime is not to chase every new headline. It is to build the ability to recognize real attacker behavior quickly. If attackers are using AI to write better phishing emails, detect the credential abuse and access patterns that follow. If they are using automation to move faster inside a network, detect that movement. If they are using legitimate tools to hide in normal activity, detect the behavior that does not belong. The medium changes. The logic does not.
This also changes the questions boards and executives should ask. “Do we have an AI strategy for cybersecurity?” is too broad to be useful. Better questions are more concrete: Which active attack patterns are we actually looking for? How quickly can new threat intelligence become a hunt or detection inside our environment? Do we know whether our existing tools can see the behavior that matters? Are our alerts based on real attacker techniques, or are we drowning in generic anomalies?
Security teams do not need more shadows to chase. They need sharper focus. AI is changing cybersecurity, but not in the way most of the market wants to describe it. It is lowering the barrier for attackers, increasing the number of people who can do damage, and making familiar techniques faster and more scalable. That is serious enough. It does not require mythology.
The answer is not panic. It is not a new buzzword. It is knowing what is happening inside your systems, understanding how attackers actually operate, and building the ability to catch them fast. That is not the exciting version of the story. It is the one that works.
Shahaf Galili is co-founder and CEO of Mars Security. He previously served as VP Product at Attribute and held senior cybersecurity roles at Claroty.














