AI in Offensive Security

A campaign generates a unique, contextually relevant lure for every recipient, pulled from public profiles, written in the recipient's native language with reference to recent meetings and projects. Click rates climb because nothing pattern-matches as a template. The defensive response isn't 'better filters' alone — it's process changes around the actions phishing tries to trigger (wire approvals, credential resets, code-signing requests).

In 2023, attackers used a cloned voice of a Retool executive in vishing of an IT employee, leading to a compromise that exposed customer data. In early 2024, attackers used a deepfake video conference call impersonating Arup's Hong Kong CFO to authorize a $25M wire transfer. Modern help desks now require callback to a known number; modern wire-approval flows require dual-channel confirmation regardless of urgency. Both incidents predate the worst of the 2025-2026 capability curve.

Scattered Spider used a 10-minute social-engineering call against MGM's IT help desk to reset MFA on a privileged account, leading to a $100M+ outage. Caesars paid a reported $15M ransom from an adjacent attack. Neither attack required AI — but both illustrate the help-desk identity-verification weaknesses that AI-driven voice cloning makes dramatically worse.

Public assets, certificate transparency logs, GitHub history, and breach data correlate automatically into a target dossier in minutes. Asset inventory hygiene becomes a defensive control, not a CMDB chore — what's discoverable about you is what attackers will use.

Anthropic withheld Claude Mythos from public release after it autonomously identified CVE-2026-4747 (a 17-year-old FreeBSD NFS root RCE) and reproduced exploits with 83.1% first-try success. Defenders should assume equivalent capabilities will reach motivated adversaries — plan inventory, patch automation, and incident response with that assumption baked in. The B3 vulnerability management page covers the defensive operating model in detail.

Attackers use models to summarize patch diffs published with security releases and propose hypotheses about what was fixed. The same capability is available to defenders; defenders are usually slower to deploy. N-day exploitation windows have shrunk meaningfully since 2023.

Modern AI-generated phishing reads like competent corporate writing. Training on signal patterns (sender, link target, request type, urgency, novel payment instructions) ages better than training on prose quality.

If your help-desk reset flow accepts a voice as identity, you have a deepfake exposure. Add a callback to a known number or out-of-band step. MGM (2023) is the canonical lesson here, and it predates the worst of the AI capability curve.

Red teams that don't model AI-augmented recon and phishing miss a realistic attack path. Update the rules of engagement to permit it, with appropriate guardrails on harm and scope.

Vendors will sell you 'AI-powered detection of AI-generated content'; ask for the false-positive rate on your data and what it actually triggers on. Most are weaker than they sound, and the arms race favors generators over detectors.

Every deepfake-fraud post-mortem includes 'we knew this was possible but didn't think it would happen to us.' That's the disbelief failure mode, and it's the most consistent contributor to expensive incidents.

Every additional verification step on a help-desk call lowers vendor-fraud risk and raises legitimate-user friction. The right level is org-specific and worth measuring against actual attack data, not assumed user complaints.

Reliably detecting AI-generated content is unsolved at scale. Accepting that some content will be synthetic and adjusting workflows around it is more durable than chasing detectors that the next generator iteration will defeat.

Quarterly with topical refreshers tends to land better than annual modules. The technique evolution is now fast enough that annual training is calendar-aligned, not threat-aligned.

Detailed public discussion of offensive AI helps defenders calibrate but also helps attackers. Most credible research now favors high-level discussion with private disclosure of specifics — Anthropic's Mythos handling is a recent reference point worth studying.

If a deepfake-driven incident lands, the temptation is to delay disclosure until investigation completes. Customers, partners, and regulators increasingly expect notification on the same hour, not the same week. Plan the disclosure path in advance.