The best defense against AI attacks turns out to be a skeptical human

Analysts across the security industry now run generative AI through their daily work, from log triage to incident write-ups. Active use in cybersecurity strategy reached 78% of practitioners in 2026, up from half the field a year earlier. The 2026 SANS AI Survey, drawn from 536 IT and security professionals, describes what that commitment costs to keep.

AI attacks

Reliability trailed adoption over the year. Sixty-three percent of practitioners report significant shortcomings when AI detects or responds to threats, well above the share who said so a year earlier. The failures cluster around false positives, trouble spotting new threats, and confident output that turns out wrong. Teams running AI in production describe this as the routine experience.

Trust varies by task, and the survey maps where practitioners draw the line. “Our data shows practitioners are comfortable letting AI classify threats or prioritize vulnerabilities, and far less comfortable letting it confirm a true positive or judge behavioral anomalies,” Matt Bromiley, a SANS certified instructor and incident responder, told Help Net Security. “These tools track that they are good at structured problems and weak at novel, context-dependent calls. You build the instinct by learning a tool’s failure profile and verifying in proportion to what being wrong costs you.”

One survey respondent described treating AI like a digital intern and checking its work. Bromiley put himself in the same camp. “I cannot agree more with this: ‘measure twice, cut once.’ Unfortunately, most teams aren’t instrumented to build that instinct,” he said.

The instinct can be trained, up to a point. “As an instructor, I can attest that the classroom does more than people give it credit for,” Bromiley said. “You can teach failure modes, instrumentation, what to verify before acting, and how to run a system in parallel long enough to see where it drifts. What you can’t lecture into someone is calibration, meaning how much doubt a given output has earned. Good training just compresses those reps into a place where being wrong is cheap.”

The gap he wants to close is measurable. Two-thirds of practitioners have been misdirected by AI guidance at least once in the past year, and 9% more than twenty times.

The offensive side puts a deadline on that judgment. Bromiley described an incident where attacker speed drove the outcome. “I worked at one where the tempo was what caught us off guard,” he said. The intrusion began as a supply chain compromise through a malicious package, which set the foothold inside a trusted software environment. From there the adversary moved through internal reconnaissance to lateral movement within minutes, deploying scripts in quick succession. “The pace felt fast – the adversary was also bringing in scripts that were clearly commented and had good step-through instructions, matching the hallmark traits of a ‘friendly AI-developed script’,” Bromiley said.

“I’d be careful about the attribution. We assessed those scripts as likely AI-generated based on their structure and the speed of iteration, not because we recovered proof,” he said. His case sits in the suspected column of the survey’s numbers. “Of the 78% of organizations reporting AI-enabled attacks, 45% confirmed it and 33% suspected. My case belongs in the second group,” he said.

The timing math is what he wants defenders to sit with. “What changed was cadence. Recon-to-lateral-movement usually buys defenders time because it’s slow and manual. Here, it bought very little time,” Bromiley said. “Detection thresholds and on-call rotations assume some attacker dwell, and that assumption is what is compressed.” Reconnaissance to lateral movement normally runs slow and manual, and the delay is the window a team catches up in. Take it away, and the margin goes with it.

Looking back, Bromiley listed what the team wanted before the first alert fired. “They wanted an accurate inventory of their software supply chain, egress logging that made the recon stage visible in real time, and service accounts scoped so the foothold couldn’t reach as far as it had, which aligns with survey results,” he said. “Practitioners rank behavioral detection, user awareness training, human analyst review, and zero trust as most effective against AI-enabled threats. AI-specific controls rank last. Behavioral detection works because it watches what an attacker does, not what the script wrote. Speed doesn’t require a novel countermeasure; rather, it removes the slack that lets teams improvise past a missing one.”

The controls he named line up with where the broader survey lands. Defenders point mostly at behavioral and human-centered controls, and the specialized AI tooling ranks at the bottom of the list. A trained, skeptical human sits at the center of the durable defenses, which fits the instinct problem Bromiley keeps returning to.

The next 12 months will test whether organizations can close the readiness gap against the deployment they have already committed to. The survey points to validation that tracks precision and recall, governance moved into the controls analysts touch every day, and workforce development treated as an immediate operational need. Bromiley’s case makes the reason concrete. The tempo of an AI-assisted intrusion consumes the exact time defenders have been building their instincts to use.

Guide: What automated pentesting alone cannot see

Don't miss