Fight back faster: Why AI-powered defense is no longer optional for enterprise security

The new AI-powered threat environment has already changed in ways that security teams cannot address by working harder or adding head count. According to the Unit 42 Global Incident Response Report 2026, which draws on more than 750 major incidents, attackers can move from initial access to data exfiltration in as little as 72 minutes, four times as fast as in the prior year. What’s more, exploit scans begin within 15 minutes of a vulnerability disclosure. But AI has not created new categories of attack so much as it has removed the friction from existing ones, compressing defenders’ response timelines from days to minutes.

New frontier AI models present a step change in capabilities. Trained to write code, they are remarkably good at finding vulnerabilities, combining multiple lower-severity issues into critical-level exploit paths and analyzing the full exposure surface of applications, including SaaS and public-facing platforms. As more capable frontier AI models become widely accessible, attackers will increasingly be able to automate reconnaissance, vulnerability discovery, phishing campaigns, and lateral movement at a level previously impossible for individual operators or small teams.

As Palo Alto Networks Chairman and CEO Nikesh Arora writes in Weaponized Intelligence, frontier AI models are now capable of methodically cataloging every weakness in an organization’s technology infrastructure, at scale and without pause. Aided by frontier AI, a single threat actor will be able to run campaigns that once required entire teams.

What makes this moment especially dangerous is that most organizations are, for the most part, not losing ground due to exotic, novel exploits. Instead, AI-powered attacks are rapidly taking advantage of conditions that CIOs have already had the ability to fix. In more than 90% of the incidents Unit 42 investigated, preventable gaps in security coverage materially enabled the intrusion. Misconfigurations, inconsistently applied controls, and excessive identity trust were more decisive than any zero-day vulnerability.

The structural problem runs deeper than any individual gap. Arora writes that in 75% of breaches, the logging existed that should have flagged the anomalous behavior. The warning signs were there, but they were buried across fragmented, disconnected tools where no one could see the full picture. This gap was arguably manageable when attacks moved at human speed. At the speed that AI will soon enable, it has become a critical liability.

Siloed security environments operating at human speed cannot keep pace with threats that move in minutes. Consolidating that infrastructure is now a prerequisite for an effective defense.

Fighting AI with AI

The same AI capabilities that are amplifying attacker speed and scale can be deployed in defense, but only within the right architecture. As Arora argues, models alone cannot provide sufficient enterprise security without an underlying infrastructure that includes sensors across endpoints, networks, identity, cloud, and browsers, along with AI-enabled data lakes that give models the context they need.

Agentic defenses operationalize such an architecture. Rather than waiting for a human analyst to correlate signals across multiple tools, autonomous systems investigate alerts at machine speed, correlate data across the entire environment, and rapidly execute containment. Revoking a compromised credential, isolating an affected workload, or blocking lateral movement no longer depends on an analyst’s being available at the right moment.

What this looks like in practice

Palo Alto Networks has built this architecture into Cortex XSIAM, its AI-driven security operations platform. In a 15-minute keynote, Lee Klarich, chief product and technology officer, describes how Cortex ingests raw data from any source; applies 2,900 machine learning models to detect attack behaviors; including previously unseen ones; and executes 1.9 billion automated actions per year through more than 1,300 built-in playbooks. The result for organizations using the platform has been roughly a quarter of the previous manual work and mean time to remediation measured in minutes rather than days. With AI agents’ now being embedded into the automation engine, Klarich expects that performance to improve further still.

The window to act is open. Security teams that consolidate their infrastructure, invest in AI-driven detection, and build agentic response capability now will be far better positioned than those that wait for the threat landscape to force their hand.

See what’s possible.