When Sun Tzu said, "To know your enemy, you must become your enemy," he never could have imagined how his wisdom would be applied to AI 2,500 years later.
During his session at the Gartner Cybersecurity and Risk Management Summit 2026, Gartner analyst Leigh McMullen agreed with Tzu, in that threat actors have much to teach defenders about using AI. In just a few years, nefarious hackers have harnessed the technology to launch cyberattacks at stunning speed and scale. Yet, security professionals can be just as successful using similar techniques. "The [offensive AI] processes are not necessarily particularly exquisite, elaborate or all that involved and actually present us with an opportunity to create the mirror of them in defense," he said.
McMullen identified four key areas where threat actors are using AI to augment and improve their capabilities, and explained how defenders can use similar methods to counter threat activity and mitigate risk.
1. Upscaling
Threat actors complement their existing skill sets with AI to execute cyberattacks more rapidly, creatively and evasively than ever before. The technology benefits attackers of all levels -- those with basic skills use AI to craft more potent attacks, while advanced threat actors use it to become faster and launch more complex digital crimes.
McMullen said defenders should also expand their abilities by putting AI to work. He said the AI models that defenders train will be more adept at identifying threats, containing intrusions and protecting systems.
2. Target selection
Threat actors who conduct phishing and deepfake operations frequently use AI to research both those whom they intend to impersonate and their victims. For example, an attacker might train an AI agent to scour the web and learn the personal details and communication style of an authority figure, enabling the attacker to effectively mimic that authority figure.
Criminals aren't the only ones who can benefit from this highly targeted AI-assisted research. Security professionals should deploy AI agents to both learn what information is available to potential attackers and to unearth facts about those same threat actors.
McMullen recommended setting up RAG pipelines, which enhance large language models by grounding responses in specific external data. For example, he suggested creating custom threat intelligence feeds to continuously monitor for PII breaches involving key executives and potential targeting vectors. RSS feeds, AI-generated scripts, web crawlers, ISAC feeds and CVE feeds are all tools at the security professional's disposal. Those same tools can be directed outward by directing AI research agents toward known threat actor groups.
3. Attack obfuscation
Attack obfuscation is becoming increasingly common, McMullen said. "This is threat actors using AI to hide their modus operandi for attacking."
Defenders can use similar techniques to trick attackers, he said. For instance, he suggested that security professionals make AI-generated synthetic data to keep threat actors busy, then monitor activity to learn attackers' TTPs. Authentic-looking honeypots, test ranges, look-alike tools, fake websites, bogus vulnerabilities and dead-end backdoors can all send attackers on wild-goose chases while revealing valuable information about them to security staff.
4. Automating tasks
Attackers often use AI to perform tedious tasks, McMullen said. For example, to conduct living-off-the-land attacks, persistent threats, automated kill chains and other cumbersome steps.
Security teams, too, can delegate many of the less glamorous aspects of cybersecurity defense and risk mitigation to AI agents, he said. Tracking threat actors, offensive testing, security simulations and call center governance can be handled by AI, so security leaders can dedicate more time to innovation and business outcomes.
While threat actors have proven AI's offensive potential, defenders also have the blueprint to level the playing field. By upscaling capabilities, sharpening target intelligence, deploying deception at scale and automating the mundane, security teams can transform from reactive guardians into proactive adversaries. The best defense might just be understanding how attackers think, adopting their playbook and turning it against them.
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
