Cyberattackers are using AI agents that work while their humans sleep

AI has cut the time attackers need to breach your systems to single digits. The attack window used to be a year. Now it's days.

Contributed Content

Google Cloud Summit AI cyberattacks and threats
ttackers now breach systems in days, not months. Here's what changed. Image created with TechNation's TN:AI Workflow.

Topics: 

Sharing is caring! 

Ten years ago, it took attackers more than a year to exploit a known vulnerability after identifying it. Last year, that window had shrunk to 11 days. Today, because of widespread AI and large language model use by threat actors, it is down to single digits.

That trajectory was the opening frame of a security session at the Google Cloud Summit Johannesburg on Wednesday, delivered by Donovan Mooney, Regional Manager for SADC at Mandiant, which is part of Google Cloud.

In terms of cybersecurity, AI is dangerous. In theory, in practice. We know this. Mooney’s argument was not that. It was that attackers are already using it, have been for a while, and the gap between what they can do now and what most organisations are prepared for is widening fast.

“Accelerating opportunity brings accelerating threats,” Mooney said. “We speak about those out of a very secure and safe place of knowledge.”

Mandiant tracks over 4,500 active threat groups globally. The team monitors motivation, tools, and tactics, and feeds real-time incident response data from customer breaches back into their security platform.

Google Cloud Summit AI cyberattacks and threats
Donovan Mooney, Regional Manager SADC at Mandiant, at Google Cloud Summit Johannesburg. Image: Cheryl Kahla

In addition, Google spends about 500,000 hours per year on incident response, across nation states, government departments, financial institutions, and healthcare organisations.

Three changes

Mooney described three ways AI has changed the threat landscape.

Speed is the most immediate

The dwell time compression from over a year to single digits is not a gradual shift, but rather reflects a qualitative change in how attackers operate.

With AI tooling, threat actors can identify targets and conduct reconnaissance within days rather than months. They can also find vulnerabilities and launch attacks just as fast.

Scale is the second shift

Previously, building and deploying malware required skilled developers and significant infrastructure. Attackers also needed lots and lots of time. That is no longer the case because AI changes that equation.

Attackers can now generate new malware or modify existing malware to evade signature-based detection in minutes, work that previously took weeks. The barrier to entry for launching large-scale attacks has dropped considerably.

The third shift is sophistication

Mandiant has been tracking six new threat groups since May. These groups are using AI to write attack code, and also to spin up autonomous agents that continue an attack independently.

AI threats in cybersecurity
Image created with TechNation’s TN:AI Workflow.

Writing attack code used to be a big thing on it’s own. Human operators now simply launch a campaign and set the agents running. While that is busy, the operators move on to the next target, set into motion autonomously, move on to the next, repeat.

“Just imagine that,” Mooney said. “AI spinning up new tactics autonomously against our customers.”

Attackers are also using AI to conduct social engineering at scale, including deepfake images and videos to set the scene for phishing and fraud campaigns. Prompt injection attacks have increased.

The combination of speed, scale, and sophistication means that what was once an expensive, skilled operation is now accessible to a much wider range of threat actors.

ALSO READ: Google Cloud Summit: The off-stage conversation that mattered most

From 30 minutes to one minute

On the defensive side, Mooney presented Google’s own numbers. A slide at the session confirmed that its Triage and Investigation agent has reduced typical manual alert analysis time from 30 minutes to one minute, across more than five million processed alerts.

Look at the context: A SOC analyst arriving at work to a list of 100 high-priority alerts, all marked critical, cannot meaningfully triage all of them. The backlog is the problem, but Gemini integration into Google’s Security Operations platform made analysts seven times more effective.

The next phase, which Mooney described as agentic SecOps, is projected to multiply that by a further factor of 30.

“What happens if we can get those guys to five or six important things a day but doing them well?” Mooney said. “That changes them.”

He was clear that this does not mean fewer analysts. Please, don’t go and lay off your analysts. It justs means analysts spend less time on noise and more time on genuine threats, which reduces the cost per breach and the time to resolution.

AI in Cybersecurity infographic
Infographic generated with Google AI tools

According to IDC data Mooney cited, Google’s threat intelligence customers proactively identify 139% more threats than they would otherwise. [Read the full report here]

The intelligence feeding that system comes from multiple sources including Google Mail, VirusTotal, Google Threat Intelligence, and Mandiant’s own incident response work at customer coalface.

What Wiz brings to the stack

Mooney also covered Google’s acquisition of Wiz, the cloud and AI security company, describing it as a start-to-end solution covering the full lifecycle of an AI agent from code through to runtime and back again.

The Wiz platform covers three areas:

  • Wiz Code handles secure development, proactively testing reachable risk from the AI development lifecycle.
  • Wiz Cloud manages cloud, hybrid, and AI risk posture.
  • Wiz Defend detects and contains malicious cloud and AI attacks.

The platform is cloud-agnostic, which Mooney flagged as particularly relevant in the South African market where multi-cloud environments are common.

Mooney cited a figure he attributed to cve.org showing that Google Cloud Platform infrastructure is 70% less likely to experience critical or high-level vulnerabilities compared to other cloud infrastructure.

He also noted that 50% of Wiz’s risk customers have reached zero critical risks in their environments, a claim he described as almost unheard of in enterprise IT security.

The South African context

South Africa is not a peripheral market for this conversation.

Nearly 90% of South African organisations reported at least one security breach in the past year, according to a 2024 study by the CSIR (Council for Scientific and Industrial Research). Of those, 90% said they were targeted multiple times.

Meanwhile, 63% of cybersecurity jobs in South Africa are either partially or fully unfilled.

The skills gap is exactly the environment in which AI-powered attacks become more dangerous and AI-powered defences become more necessary.

Earlier this year, Google Cloud announced that it is providing up to 12,000 students with access to the Google Cybersecurity Professional Certificate through a partnership with NEMISA, alongside 1,000 places for public service employees through the Department of Public Service and Administration.

Mooney’s closing line was simple: “Adopt AI. Do it with trust but verify first.”

Before you @ us:

No, AI did not “write this article.” Calm down. This piece was produced using our TN:AI newsroom workflow. The opinions and typos belong to a human who has algorithmic side quests. (Hi!) We even wrote an AI policy so nobody panics.

🧠 AI-assisted research + summarisation 📝 Human edited + fact-checked

Sharing is caring! 

Featured reads: