惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Todyl Blog

CyberChef: How to Decode & Decrypt Malicious Scripts (Step-by-Step Guide) MSP Security Maturity Assessment: Why 79% of MSPs Are Stuck in 2025 The Rising Threat of Malicious AI: What Every Organization Needs to Know Iran Cyber Threat 2026: What SMBs and MSPs Need to Know The OneStart AI Browser Deception Cyber Insurance Requirements Based on Industry Why Third-Party Security Certification Is Your MSP's Competitive Edge Why Cyber Insurance Carriers Are Shifting to Security Assurance Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍ Why Cyber Resilience Requires Security, Compliance, and Insurance MSP Security Services: How to Position Identity Protection as Competitive Advantage Identity Security Gap Assessment: A Step-by-Step Guide for MSPs How Credential Theft Attacks Are Costing MSP Clients Millions Do I Need Cyber Insurance as a Small Business? Advanced Persistent Threats (APTs) Explained Preparing for CMMC Level 1: What Your Organization Needs to Do The Real Cost of Doing Nothing in Cybersecurity MSP Security: Build vs Buy SOC The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Cyber Threat Recovery Strategies for MSPs What MSPs Need to Know about CIRCIA Final Rule ClickFix: The Evolution of Copy-Paste Social Engineering Akira Ransomware: Threat Assessment of a Scalable RaaS Operation The Dos and Don’ts of Applying for a Cyber Insurance Policy What Is Threat Hunting? A Practical Guide for MSPs and SMBs The Business Case for Cyber Threat Management Evaluating Free and Open Source SIEM Tools in 2026 How organizations can combat BEC Using SASE to help meet cyber insurance requirements Introducing the Anomaly Framework Stopping Identity Threats with ITDR through MXDR Security Operations Over Tools Beyond Tools: A Strategic Approach to Data Security Cyber Threat Response Strategies for MSPs Threat Advisory: Email Account Compromise BECs In the Wild: When Millions of People Are Expecting the Same Email Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know Cyber Threat Detection Strategies for MSPs Cyber Threat Prevention Strategies for MSPs Simplifying CMMC Level 1 with Todyl GRC How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough Cyber Threats Don't Take Time Off How MSPs Build Lasting Client Relationships Through Proactive Operations Risk Management for MSPs: Why Business Context Changes Everything 5 Pillars for Security Program Growth in 2025 One Action MSPs can take to Address Risk and Secure Clients Building Resilience in a Perimeter-less World with Defense-in-Depth Aligning Technology Implementation to Business Outcomes Top 5 Myths about Cybersecurity How Conditional Access Transforms Your Cybersecurity Program Why MSPs need to embrace a prescriptive model How Texas SB 2610 Positions MSPs as Strategic Risk Advisors Simplifying cybersecurity maturity with managed cloud SIEM Addressing firewall vulnerabilities Understanding the Pitfalls of RDP MSP Zero-Day Response Plan: When Security Tools Can't Help You Old is Gold: Tackling Persistent Vulnerabilities How MXDR drives operational efficiencies Using SASE for secure remote access How to find the best endpoint security solution The Cyber Insurance Crisis: Why MSPs and Their Clients Are Struggling What to ask of a prospective endpoint security vendor Thinking Red, Acting Blue: Turning Attack Tactics in Your Favor Zero-Day Attacks and False Alarms: Lessons for MSPs Dissecting the Recent Rise in 2025 Zero Days MSP Security Monitoring Strategy: Identity and Cloud Blind Spots Introducing the Todyl Community: A Collaborative Platform for MSPs Threat Advisory: PDFast Freeware Compromise Navigating Today’s Cybersecurity Threat Landscape: Where MSPs Should Start Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients Partner Spotlight: GoTech IT Solutions Threat Advisory: SQL Injection in FortiClient CVE-2023-48788 The Importance of SSL Inspection Navigating Compliance Frameworks: Common Challenges and Effective Solutions Making the most of SASE Web Filtering Iran & Middle-East Geopolitical Shifts: Emerging Cyber Risks for SMBs MSP Security KPIs That Matter: Beyond Vanity Metrics to Business Outcomes MSP Challenges Looking into 2025 Combining EDR and NGAV for Defense-in-Depth Starting Your Security Framework Journey: A Practical Implementation Guide Cyber Insurance vs. Warranties: Key Risk Management Elements Akira Ransomware: A Persistent Threat to MSP Operations Transforming Cyber Insurance for MSPs and Their Clients Two Truths, Double Whammy: Why Vulnerability Remediation Needs a Rethink Using LAN ZeroTrust for segmentation The role of SIEM in incident response Partner Spotlight: 917 Solutions Threat Advisory: Business Email Compromise Campaign using OVPN for Obfuscation Beyond Implementation: Creating an Ongoing Security Framework Program ClickFix: Fake Captcha Leads to Real Damage Streamlining Security and Compliance Information Gathering with Assessments EpiBrowser: A Sophisticated PUP Masquerading as Chromium Partner Spotlight: AnchorSix Tips to Help MSPs Set Goals for the New Year How SIEM helps detect insider threats Massive Wave of Network Security Vulnerabilities Demands Immediate Action FortiJump: The FortiManager Zero-Day Vulnerability Explained Use cases of SASE: Software-defined perimeter Threat Advisory: LightPerlGirl Malware Why MSPs Must Prioritize CIS Critical Security Controls v8.1 for Client Success
Todyl
Andrew Scott · 2026-06-22 · via Todyl Blog

AI hasn't changed what good security requires. It's changed what happens when you don't have it.

Breakout time, the window between initial access and an attacker moving laterally through a network, is now under 30 minutes in many incidents. Exploitation follows vulnerability disclosure within 24 hours. AI-generated spear phishing is hitting click-through rates of 50-60%, compared to single digits with traditional phishing lures. The attacks are faster, more targeted, and harder to distinguish from legitimate activity.

The same security fundamentals have always mattered. There's just now far less margin for error.

That's the actual definition of an AI-ready security program. Not a new framework. Not a new product category. A standard for how well the fundamentals have to work now, because the cost of gaps that were once recoverable has become catastrophic.

What Is an AI-Ready Security Program?

An AI-ready security program is one built to operate at the speed and scale of AI-accelerated threats. It reduces exploitable attack surface, detects across identity and endpoint, correlates signals across domains, baselines normal behavior, and can contain an active incident within minutes, not hours.

The five criteria below define what that looks like in practice.

1. Attack Surface Reduction Is Now Non-Negotiable

The most effective security win available is not giving attackers something to target.

AI-accelerated reconnaissance is fast. Tools that once required hours of manual effort now sweep public infrastructure, enumerate exposed services, and build target profiles at scale. If you're running legacy VPN infrastructure with known CVEs, operating with over-permissioned accounts, or leaving cloud services exposed without identity-based controls, those gaps will be found.

Attack surface reduction used to be framed as a nice-to-have. It's now essential. The specific shift worth noting: traditional SSL VPNs carry a different risk profile than agent-based Secure Access Service Edge (SASE) solutions. A VPN appliance is a publicly reachable endpoint that can be directly exploited. SASE ties access to device identity and user identity simultaneously, removes the publicly addressable target, and enforces zero-trust access policies at the session level.

An AI-ready program has a documented answer to the question: if an attacker were targeting us today, where would they find their way in? If that answer is unclear or uncomfortable, that's the starting point.

2. Identity Detection: The Layer Most Programs Miss

85% of attacks observed in Todyl's Security Operations Center (SOC) operate entirely at the identity layer and never pivot to the endpoint. They come in through stolen credentials, compromised email accounts, or SSL VPN access using valid usernames and passwords. There is no malware. There is no novel exploit. The attacker logs in.

This has a direct implication for detection coverage: if your visibility starts at the endpoint, you are already behind on most incidents.

Identity detection must be more than what your identity provider offers natively. Microsoft and Azure's built-in detections are a floor, not a ceiling. An AI-ready security program builds its own anomaly framework on top, enriched with external threat intelligence to understand what IPs and sessions look like right now, not just what they looked like historically.

Impossible travel detection, behavioral baselining, OSINT enrichment on login IPs, and industry-contextualized alerting all belong in this layer. None of them require exotic capabilities. They require intentional architecture.

3. Cross-Domain Detection: Why Siloed Alerts Fail

A single alert that fires in isolation is not detection. It's an input to detection. The difference matters enormously at AI-attack speeds.

Here's what that gap looks like in practice: a valid credential used from a new device triggers a low-confidence alert. An unusual PowerShell execution on a workstation triggers a separate low-confidence alert. An inbox forwarding rule gets set. Each event, reviewed in isolation, has an innocent explanation. Reviewed together, in sequence, they describe an active account takeover in progress.

Traditional MDR and siloed detection stacks don't see the story. They see three separate events in three separate dashboards. By the time a human analyst correlates them manually, the attacker has staged data and moved.

An AI-ready detection architecture treats every alert as the anchor for an investigation, not a conclusion. It automatically pulls related signals across identity, endpoint, network, and cloud. It asks: what else was this user doing? Does this match their pattern? What happened in this session before the alert fired? That context converts low-confidence noise into a high-confidence case, and it has to happen at machine speed, because attackers are no longer operating at human speed.

4. Behavioral Detection vs. Signature-Only: Closing the Gap

Attackers have known for years how to avoid signature-based detection. They use legitimate admin tools: Remote Monitoring and Management platforms, PowerShell, PsExec. They log in with real credentials. From a signature perspective, everything they do looks like normal IT activity.

The baseline question for any security program in 2026 is: what does normal look like for each user and device in your environment, and how quickly can you detect deviations from it?

User and Entity Behavior Analytics (UEBA) is one piece of this. If a user who has never run PowerShell suddenly runs a script to enumerate the network, that's not a signature violation. It's a behavioral one. If a credential authenticates from Denver at 9 am and Chicago at 10 am, that's not a malware signature. It's an impossible travel event.

The other piece is understanding the full session. An AI-ready program doesn't just ask whether a login location has been seen before. It asks whether this session looks like what this user does: are they opening their regular documents, emailing their regular contacts, following their regular workflow? That depth of session-level analysis is what closes the gap between catching an attacker on day one and finding them three weeks later.

5. Containment Speed Determines Whether an Incident Is Recoverable

The final criterion is response speed, and it's the one that determines whether an incident becomes a recoverable event or a business-ending one.

Network segmentation enforced through SASE and LAN Zero Trust (LZT) limits how far an attacker can move once they're inside. Even with valid credentials, zero trust constrains lateral movement to only the resources that identity is authorized to reach. In a world where breakout time can be under 30 minutes, that constraint buys critical time.

But segmentation alone isn't enough. The response function needs to match the threat function. Manual triage cycles that take hours to reach a conclusion are structurally too slow for AI-accelerated attacks. An AI-ready program has automated response playbooks, 24/7 coverage, and the ability to isolate, contain, and investigate across identity, endpoint, network, and cloud, not just endpoint.

The question worth asking is if an attacker gained access right now, how quickly could you contain them?

The Three Questions That Matter

I close every conversation about AI-ready security with three diagnostic questions.

Where is your attack surface still open? If you were an attacker, where would you find your way in? Are you OK with that exposure?

Where are your detection coverage gaps? Can you see across identity, endpoint, network, cloud, and SaaS? Do you have the visibility to investigate incidents as they happen, not reconstruct them afterward?

How fast can you contain? When an incident happens, do you have the automated response, 24/7 coverage, and cross-domain response capability to stop it before the damage compounds?

These are diagnostic questions. An organization that can answer all three with confidence has built something that will hold up against AI-accelerated threats. An organization that can't has identified exactly where to start.

What AI-Ready Looks Like in a Security Program

An AI-ready security program is one built to operate at the speed and scale of AI-accelerated threats. It reduces exploitable attack surface, detects across identity and endpoint, correlates signals across domains, baselines normal behavior, and can contain an active incident within minutes, not hours.

The five criteria, summarized:

  • Reduced, managed attack surface area with identity-based access controls in place of legacy perimeter tools
  • Identity as a core detection surface, with custom anomaly detection beyond native provider coverage
  • Cross-domain correlation that treats every alert as an investigation anchor, not an isolated event
  • Behavioral detection that establishes baselines and surfaces deviations, not just signature matches
  • Response capability that can contain across identity, endpoint, network, and cloud, within the timeframe of an AI-accelerated incident

According to the World Economic Forum, 94% of organizations identified AI as the dominant cybersecurity force shaping 2026. The bar for an attacker to conduct sophisticated tradecraft keeps getting lowered. Organizations must prepare for AI-accelerated attacks.  

Check where your security program stands. Take our free AI-readiness assessment.

Frequently Asked Questions

How do AI-accelerated attacks differ from traditional attacks?

Traditional attacks often gave defenders hours or days to detect and respond. AI-accelerated attacks compress that window dramatically. Breakout time in many incidents is now under 30 minutes. Vulnerabilities are exploited within 24 hours of disclosure. AI-generated phishing achieves click-through rates of 50-60%. The fundamentals of good security haven't changed; the margin for error has.

What is behavioral detection in cybersecurity?

Behavioral detection identifies threats by recognizing deviations from established patterns of normal activity, rather than matching known attack signatures. If a user who has never run PowerShell suddenly executes a network enumeration script, or a credential authenticates from two cities within an hour, behavioral detection surfaces those events as threats even when no known malware signature is present.

What is breakout time in a cyberattack?

Breakout time is the window between an attacker's initial access to a network and their first lateral movement to another system or resource. It is one of the most important metrics in incident response because it defines how much time defenders have to detect and contain an intrusion before it expands. In many recent incidents, breakout time is under 30 minutes.