A standalone article from the series “AI and You”.
There is an old rule in cybersecurity: if an attacker gets into your network, you have hours to detect them and kick them out before the damage becomes irreparable. That rule no longer exists.
In 2025, the average time it took an attacker to move from the first compromised system to other systems on the network — what the industry calls breakout time — fell to 29 minutes. The record registered that year: 27 seconds. In one of the intrusions studied, data exfiltration began four minutes after initial access. To understand the scale: that is less time than it takes a human security analyst to receive an alert, put down what they’re doing, open their laptop, and start investigating — and they still wouldn’t have had a chance to read the first log.
eCrime average in minutes. 98 min (2021) and 84 min (2022): CrowdStrike GTR 2023 · 62 min (2023): CrowdStrike GTR 2024 · 48 min (2024): CrowdStrike GTR 2025 · 29 min (2025): CrowdStrike GTR 2026. Record times: 2 min 7 s (2023) · 51 s (2024) · 27 s (2025).
This technical vulnerability cannot be patched away (or only partially) because it is a structural speed shift driven by the same tool transforming the rest of the economy: artificial intelligence. And it has one consequence: if the attack operates at machine speed, defense that depends exclusively on humans acting in real time has already lost the race before it starts.
This article is not a call to panic — it is a call to action from inaction, before it is too late. It analyzes what has changed, what the data shows, and what someone who is not a security expert but works with systems, data, or teams that use them can actually do.
About the extreme cases in this article.Some comparisons, scenarios, and diagrams in this text are illustrative: they contrast extremes (utopia / dystopia) to make a range visible. They are not operational recommendations or predictions. The author takes no responsibility for how each reader uses these ideas.Full disclaimer text here.
Cybersecurity has always been an asymmetric game. The attacker needs to find one entry vector; the defender needs to cover all of them. That asymmetry existed before AI and will exist after. What has changed is the cost and speed on each side of the equation.
Before, a sophisticated attack required advanced technical skills, preparation time, knowledge of the target, and the ability to manually escalate once inside the network. All those steps slowed the attacker down and gave the defender a window.
AI has cheapened and accelerated each of those steps simultaneously:
The result: attacking is cheaper, faster, and more accessible than ever. Defending, structurally, is not.
Indicative values to illustrate the scale of change; not from an empirical study. The dimensions qualitatively summarize the data from CrowdStrike GTR 2026, IBM Cost of a Data Breach 2025, and Verizon DBIR 2026 analyzed in this article.
The most current annual reference reports — IBM, Verizon, CrowdStrike, and FBI IC3 — paint the current picture:
The figure that stands out most is not the cost or the speed: it’s that 63% without a governance policy. We will return to it at the end of the article.
The numbers in the table above measure the acceleration: faster, cheaper, more automatic. What came next moves the problem into a different category altogether.
In April 2026, Anthropic published the security evaluation of its Claude Mythos model, developed and subjected to red team testing (a simulation of a real, highly advanced attack directed against all pillars of an organization) in collaboration with the US government before any public deployment. The results marked a before and after for the industry.
Source: Anthropic Red Team Report, April 2026.
On a standard benchmark against the Firefox JavaScript engine, Mythos generated 181 functional exploits. Anthropic’s previous model, Opus 4.6, had managed 2 attempts on the same task. Opus 4.6 had a “near-zero” rate in autonomous exploit development; Mythos has a substantial one. This is not a quantitative improvement: it is a category break. Previously, models could assist a security analyst; Mythos can replace the analysis process in many cases.
What the model found in real systems was more revealing than any synthetic benchmark:
Source: Anthropic Red Team Report, April 2026. Introduction years are approximate from the declared age in the report (27, 17, and 16 years from 2026).
More than 1,000 critical vulnerabilities in total, with 89% precision validated against expert human review. All had survived decades of manual review and millions of automated tests. Exploits that would have taken specialized teams weeks were completed in hours, autonomously.
What changes is not just the technical capability: it is the economics of the attack. According to the Cloud Security Alliance’s analysis, the cost of producing a functional Linux kernel exploit with Mythos is below $2,000; a full vulnerability reconnaissance can be completed for less than $50. The limiting factor for a sophisticated attack is no longer technical skill — it becomes access to the model.
And that access is already being actively sought. The CSA documented that in November 2025 — before Mythos’s public release — an espionage campaign used jailbroken Claude agents that executed between 80% and 90% of the operation autonomously against 30 global organizations.
Anthropic’s defensive response was Project Glasswing: controlled access to Mythos 5 so that the most exposed organizations can search for vulnerabilities in their own systems before attackers do. Among the ~150 participants, spread across 15 countries — Spain included: Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Palo Alto Networks. The same names that produce the reports in the table above.
In June 2026, the US Government took an unprecedented decision: restricting access to Fable 5 and Mythos 5 through export controls, treating them for the first time as national security assets on a par with advanced semiconductors, with serious geopolitical implications.
There is an important dimension that barely makes the headlines: attackers are no longer just using AI as an attack tool — they are directly attacking the AI systems of organizations.
CrowdStrike documented in 2025 malicious prompt injections in corporate AI tools across more than 90 organizations. The mechanics connect directly to what we described in the article on “the free agent trap”: if a corporate AI agent has access to internal systems and can be tricked through an external prompt into executing unauthorized instructions, the attacker doesn’t need to breach the systems directly. It suffices to deceive the agent that already has access.
This is OWASP’s first vulnerability in the Top 10 for LLM applications — LLM01: Prompt Injection — translated into the real corporate environment. And it combines two risks that were previously managed separately: traditional security risk and agent governance risk.
There is a vector that operates before runtime: data poisoning. If an attacker can modify the documents feeding a corporate RAG system — the internal knowledge base that a support agent consults, or the policy repository used by an HR agent — the model will absorb manipulated information and make flawed decisions from the root. MITRE ATLAS catalogs this vector in its threat taxonomy for AI systems. Its detection difficulty lies in its very nature: the model does exactly what it was designed to do — trust its internal data.
The practical consequence is direct: every AI agent with write permissions on production systems is a potential attack surface. The same principles that prevent a productivity agent from making silent errors — digital identity, sandboxing, least-privilege permissions, MCP as the declared contract of what it can and cannot do — are exactly the principles that prevent that agent from becoming an entry vector for an external attacker.
Simplified diagram of an indirect prompt injection attack against a corporate AI agent with access to internal systems.
Prompt injection attacks corporate agents through external data. There is a more direct vector: attacking the model itself, making it ignore its safety rules, and extracting information it should refuse. In June 2026, Claude Fable 5 was compromised in under 48 hours of its launch by the researcher known as “Pliny the Liberator,” who extracted hacking manuals and chemical processes the model had explicitly blocked.
The technique was not a single trick. It was a layered strategy — the pack hunt — combining techniques from different families. The families documented in red-teaming literature, from lowest to highest technical effort:
Indicative positioning based on red-teaming literature. Effectiveness and effort vary depending on the model and active mitigations. Technique with the most published empirical support: many-shot jailbreaking (Anthropic, 2024).
Anthropic responded by clarifying the scope of the Fable 5 case: a “real” bypass of their core safety systems would require active assistance in bioweapons or highly sophisticated cyberattacks, not merely extracting information available in public academic sources. The distinction is relevant, though the debate about what counts as a genuine barrier remains open.
What the incident illustrates, regardless of how the term is defined, is the specific nature of the attack surface of models: they are probabilistic systems with fuzzy boundaries that can be probed systematically and in layers. For an organization deploying models with access to sensitive information, the question is not only whether the model has safety policies — it is whether those policies withstand coordinated attacks, and whether the deployment is sufficiently isolated so that a bypass has a contained impact.
AI doesn’t only amplify the attack. Applied in defense, the data shows a real and measurable advantage: organizations that use it extensively reduce the breach lifecycle by 80 days and save almost two million dollars per incident ( IBM 2025).
What does defensive AI do that a human team can’t do at scale?
Source: IBM Cost of a Data Breach Reports (editions 2019–2025). Sustained climb to the record of $4.88M in the 2024 report; the 2025 drop is the first in five years and coincides with the first extensive adoption of defensive AI.
The axis is not linear: it compresses a jump from seconds to months. The 241 days is the historical minimum in nine years of measurement.
From within the security industry, Richard Marko (CEO of ESET, with nearly thirty years in the sector) confirms this balance: “The most recent advances are helping defenders more than attackers,” thanks to the ability to automatically analyze hundreds of thousands of malware samples every day. That does not mean the risk is low — Marko also warns that “all the components to create agents capable of planning complex attacks already exist” — but that when they materialize depends on the race between that offensive capability and the speed of defensive adoption. The industrial response to that race already has a concrete shape. On June 17, 2026, Amazon Web Services launched AWS Continuum, a system that discovers, prioritizes, validates, and remediates vulnerabilities autonomously. Its most significant feature is active validation: the system builds, in an isolated environment, a functional exploit proof to confirm which vulnerabilities are genuinely exploitable before prioritizing them — the difference between an alert and a confirmed real threat. It operates model-agnostically, using Claude Mythos or other frontier models depending on the task, and starts in a learning mode with human review in the loop before progressing toward progressive automation. Machine-speed defense is no longer a roadmap goal; it is a deployable product.
The limit of this defensive AI is the same as that of any autonomous agent: it optimizes what it knows, but is blind to the new. An attacker using a previously unseen vector, exploiting unmodeled business logic, or operating within the system’s legitimate permissions can go unnoticed even when the system is on maximum alert.
That is why the human role does not disappear: it changes. The human stops being the real-time guardian — that race is already lost — and becomes the policy designer, the anomaly researcher, and the decision-maker when faced with the unknown. Just as in the previous article, “the free agent trap”: the agent executes, the human directs, reviews, and signs off on the decisions that matter.
The experience of those already running agents at production scale points to a paradox. Dell Technologies’ CSO (article in Spanish), who in 2026 manages hundreds of agents with their own identity and controlled authorization, notes that a well-designed agent can be more predictable in security terms than a human with the same level of access: it doesn’t improvise, doesn’t take shortcuts under pressure, doesn’t skip audit steps. The risk is not inherent to the agent; it is proportional to the quality of the design.
The 63% of organizations without an AI governance policy is not an abstract statistic. It has a concrete expression: Shadow AI.
45% of employees use AI on corporate devices on a regular basis ( Verizon DBIR 2026), and 67% do so through personal accounts without corporate oversight. Every time someone pastes a contract into ChatGPT, a financial report into a free tool, or a customer list into a non-corporate text generator, they are introducing sensitive data into a system without audited security controls and without the organization knowing what data is leaving or where it’s going.
IBM quantifies that behavior: Shadow AI adds $670,000 to the average cost of a breach per company. Not because the tool is malicious, but because the data has left the controlled perimeter and there is no way to know what happened to it or when.
The paradox is the same as in the previous article, “the free agent trap”: the tools that add the most productivity are the ones that, without governance, most expand the attack surface. This is not an argument against using AI. It is an argument for governing its use before extending it.
Source: IBM Cost of a Data Breach 2025, across 600 organizations (March 2024-February 2025). The 37% ranges from basic policies to mature governance programs; it does not imply they are well managed.
For organizations within the scope of European regulation, this gap has concrete legal consequences: NIS2 (in force since October 2024 for essential and important entities) and DORA (financial sector, since January 2025) require the active management of third-party risk and breach reporting within 24 to 72 hours. The 48% of breaches involving the supply chain from the table above is exactly the vector both frameworks regulate. The details of that regulatory landscape appear in the next article. Cybersecurity has a reputation for being an exclusive territory for specialists. But most of the attack vectors that AI amplifies have an entry point that requires no technical knowledge to close:
If you work in a company:
If you make decisions about systems:
AI has broken the time equation of cybersecurity. With average breakout times of 29 minutes and 27 seconds in the extreme case, no human team can respond in real time. That does not doom defense: it means defense also needs AI, and when it is deployed with governance, it saves almost two million dollars per incident.
The most extreme dimension of this escalation is already documented: in 2026, an AI model autonomously found over 1,000 critical vulnerabilities that had survived decades of human review and generated 181 functional exploits, whereas the previous model had managed 2, at a cost of a few dozen dollars per operation. When the US government restricts access to that model as a national security asset, it is not responding to a theoretical possibility.
The real problem is not technological. The 63% of organizations without an AI governance policy is the most important number in the current landscape. Before buying any AI security tool, the most urgent question is: what is the AI already in the organization doing, who has access to what, and with what controls?
There is a variant worth distinguishing: strict prohibition without an approved corporate alternative. It does not belong to the 63% that does nothing — it is a policy that produces the opposite effect. Under delivery pressure, teams migrate to free accounts where no vendor signs data confidentiality agreements. And in the long run, the product that avoids integrating AI into its development for security reasons ends up disarmed against attackers who do use it. Perhaps it’s a premonition, but there are plenty of arguments pointing in this direction: whoever doesn’t adopt AI today will end up buying — even their own product — from whoever did.
And for those managing agents: the principles that prevent goal drift (the agent drifting toward objectives nobody authorized) and excessive agency (acting beyond what was delegated) in productivity are exactly the same ones that prevent those agents from becoming attack vectors. Security and agent governance are not two separate problems.
AI hasn’t created the cybersecurity problem. It has taken away the time we had to ignore it.
← Previous article: The Free Agent Trap · Originally published at https://jarroba.com on June 20, 2026.
At Machine Speed: How AI Has Broken the Cybersecurity Balance was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.