5 ways to harden your network against the new speed of AI attacks

## Summary
Tech Home Tech Security 5 ways to harden your network against the new speed of AI attacks As attackers get more sophisticated and persistent, IT workers have to step up their game as well. The bad guys are doing the same thing, Mandiant reports, using a "division of labor" model, in which one group uses low-impact techniques like malicious advertisements or fake browser updates to gain access to a network, then handing off the compromised target to a secondary group for hands-on access. After gaining access to a network, they report, "attackers are weaponizing AI ... the QUIETVAULT credential stealer was observed checking targeted machines for AI [command-line] tools to execute predefined prompts to search for configuration files and collect GitHub and NPM tokens." Also: These 4 critical AI vulnerabilities are being exploited faster than defenders can respond AI is still playing a secondary role, however. "Despite these rapid technological advancements," the report notes, "we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures." The bad guys are moving faster and breaking things The entire tech industry has learned from Mark Zuckerberg's infamous imperative for Facebook engineers: "Move fast and break things." That's also true for cybercriminals, who have discovered that ransomware attacks are even more effective when they also target the virtual infrastructure that supports backup tools: Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. ... actively deleting backup objects from cloud storage. ...

## Article Content
Tech
Home
Tech
Security
5 ways to harden your network against the new speed of AI attacks
As attackers get more sophisticated and persistent, IT workers have to step up their game as well. Here's how to do that in 2026.
Written by
Ed Bott,
Senior Contributing Editor
Senior Contributing Editor
March 24, 2026 at 12:32 p.m. PT
Yuichiro Chino/Moment via Getty Images
Follow ZDNET:
Add us as a preferred source
on Google.
ZDNET's key takeaways
Attacks on enterprise networks are getting faster.
Cybercriminals are using AI, but humans are still the weakest link.
Defending against attacks requires structural changes to the network.
Here's the paradox of modern cyberwarfare: Increasingly, the attackers are using machines that can work orders of magnitude faster than the humans who control them. In response, the targets are increasingly turning to automated systems to detect and repel those intruders.
But in this machine-versus-machine combat, humans are still at the center of each battle, and those mere mortals continue to be the weak point. That's the conclusion of this year's
survey of the enterprise security landscape
from Mandiant, a US cybersecurity firm -- now part of Google Cloud -- that specializes in investigating major global security breaches and advising organizations on how to protect themselves from cyber threats.
Also:
1 in 2 security leaders say they're not ready for AI attacks - 4 actions to take now
Modern enterprise networks are widely distributed and can hand off tasks to partners via software-as-a-service. The bad guys are doing the same thing, Mandiant reports, using a "division of labor" model, in which one group uses low-impact techniques like malicious advertisements or fake browser updates to gain access to a network, then handing off the compromised target to a secondary group for hands-on access.
And this all happens at a startling pace. In 2022, Mandiant reports, this "time to hand-off" was more than 8 hours. In 2025, thanks to automation, those hand-offs were happening after an average of just 22 seconds. Likewise, the window to compromise systems with zero-day exploits is also plummeting, with the mean time to exploit vulnerabilities dropping to seven days before vendors have had time to issue a patch.
Identifying the attackers
According to Mandiant, the majority of secondary groups that are conducting "hands-on-keyboard operations" in compromised enterprise networks can be divided into two groups with distinctly different tactics and pacing. Cybercriminals are after financial gain, using tools like ransomware, while espionage groups are optimizing for long-term, stealthy access.
On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection.
Those "dwell times" -- that is, the time from intrusion to detection -- average 14 days, but cyber espionage incidents can last much longer, with a median dwell time of 122 days.
Also:
How to build better AI agents for your business - without creating trust issues
Mandiant identified more than 16 industry verticals that are being targeted, with the high-tech sector (17%) and the financial sector (14.6%) at the top of the list.
Where the intrusions come from
No surprises here: Nearly one-third of detected intrusions come from exploits. The second most commonly observed vector is "highly interactive, voice-based social engineering," with groups targeting IT help desks "to bypass multifactor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments."
Also unsurprising is the increasing adoption of AI tools for reconnaissance, social engineering, and malware development. After gaining access to a network, they report, "attackers are weaponizing AI ... the QUIETVAULT credential stealer was observed checking targeted machines for AI [command-line] tools to execute predefined prompts to search for configuration files and collect GitHub and NPM tokens."
Also:
These 4 critical AI vulnerabilities are being exploited faster than defenders can respond
AI is still playing a secondary role, however. "Despite these rapid technological advancements," the report notes, "we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures."
The bad guys are moving faster and breaking things
The entire tech industry has learned from Mark Zuckerberg's infamous imperative for Facebook engineers: "Move fast and break things." That's also true for cybercriminals, who have discovered that ransomware attacks are even more effective when they also target the virtual infrastructure that supports backup tools:
Ransomware groups are no longer just encrypting

---

## Expert Analysis

### Merits
- From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures." The bad guys are moving faster and breaking things The entire tech industry has learned from Mark Zuckerberg's infamous imperative for Facebook engineers: "Move fast and break things." That's also true for cybercriminals, who have discovered that ransomware attacks are even more effective when they also target the virtual infrastructure that supports backup tools: Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. ... actively deleting backup objects from cloud storage. ...

### Areas for Consideration
- Likewise, the window to compromise systems with zero-day exploits is also plummeting, with the mean time to exploit vulnerabilities dropping to seven days before vendors have had time to issue a patch.
- Deploy advanced threat detection across the entire ecosystem and extend log retention policies well beyond standard 90-day windows.

### Implications
- The bad guys are doing the same thing, Mandiant reports, using a "division of labor" model, in which one group uses low-impact techniques like malicious advertisements or fake browser updates to gain access to a network, then handing off the compromised target to a secondary group for hands-on access.
- On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial.
- After gaining access to a network, they report, "attackers are weaponizing AI ... the QUIETVAULT credential stealer was observed checking targeted machines for AI [command-line] tools to execute predefined prompts to search for configuration files and collect GitHub and NPM tokens." Also: These 4 critical AI vulnerabilities are being exploited faster than defenders can respond AI is still playing a secondary role, however. "Despite these rapid technological advancements," the report notes, "we do not consider 2025 to be the year where breaches were the direct result of AI.
- Security Your Android phone's most powerful security feature is off by default and hidden - turn it on ASAP As ransomware recedes, a new more dangerous digital parasite rises Your PC's critical security certificates may be about to expire - how to check How to lock down your iPhone to the extreme - so even the FBI can't get in Your Android phone's most powerful security feature is off by default and hidden - turn it on ASAP As ransomware recedes, a new more dangerous digital parasite rises Your PC's critical security certificates may be about to expire - how to check How to lock down your iPhone to the extreme - so even the FBI can't get in Editorial standards Show Comments Log In to Comment Community Guidelines Related Is an M5 MacBook Pro worth upgrading from an M1 model?

### Expert Commentary
This article covers security, attacks, mandiant topics. Notable strengths include discussion of security. Areas of concern are also raised. Readability: Flesch-Kincaid grade 0.0. Word count: 1236.