Germany's Federal Office for Information Security (BSI) published a threat assessment in late June 2026 that deserves attention. The core finding: artificial intelligence is shifting the balance between attackers and defenders – in favour of the attackers. No hype, no distant future scenario. This is happening now.
Here is what it means in practice, why patching alone is no longer enough, and what you should adjust going forward.
From Phishing Tool to Autonomous Attack Engine
AI in cybercrime is nothing new. Threat actors have been using language models for a while – mainly to craft more convincing phishing emails or localise content. That was annoying, but manageable.
What has changed is the capability tier. Current frontier models can systematically scan source code for vulnerabilities, analyse what they find, and generate working exploit code. Tasks that used to take experienced security researchers days or weeks now take AI agents hours – sometimes fully autonomously.
There is another angle to this: through a technique called patch-diffing, attackers can reverse-engineer a freshly released security update and figure out the underlying vulnerability within hours. A patch effectively becomes a blueprint for an exploit – available almost immediately after publication.
The Numbers Are Hard to Ignore
Mandiant's M-Trends 2026 report contains a figure worth sitting with: the median time-to-exploitation of a vulnerability is now minus seven days. Vulnerabilities are being exploited, on average, a full week before a patch even exists.
The classic response chain – patch released → IT team reviews → rollout within days – no longer works as a protection strategy. By the time a patch is deployed, attackers have often already gained a foothold.
Beyond Exploits: AI as a Social Engineering Weapon
Alongside the technical attack vector, AI is becoming increasingly effective in social engineering. Personalised phishing campaigns built from publicly available information – company websites, LinkedIn profiles, social media – can now be generated at scale with minimal manual effort. Lower cost for attackers, higher quality output.
A step beyond that: deepfake-based attacks. Fake video calls, AI-generated voices impersonating colleagues or managers. These are no longer theoretical. They are showing up in real incidents.
AI Systems as Targets Themselves
An angle that often gets overlooked: AI systems do not just expand the attack surface through their capabilities as tools for adversaries. They are also a new attack target in their own right.
Prompt injection attacks exploit the fact that AI models process instructions from external sources – documents, web pages, emails that a user feeds to the model. When a language model is connected to real system APIs in automated workflows, a well-placed instruction inside a document can cause the model to take actions the user never intended. Data exfiltration, unauthorised system access, malware downloads – all are possible in the right setup.
AI components need to be treated like any other security-critical software: with isolation, access controls, and validation layers.
What You Should Actually Do Now
The good news: the necessary measures are not revolutionary. Most of them are well known – but in practice they get postponed or half-heartedly implemented. Given the current threat landscape, postponement is no longer a viable option.
Know and reduce your attack surface
You can only protect what you know about. Build a complete inventory of all systems and applications in your organisation, especially anything reachable from the internet. For each exposed system, ask whether that exposure is genuinely necessary. Management interfaces and admin panels have no business being publicly accessible.
Network segmentation is not a luxury – it is basic hygiene. A single compromised machine should not be able to take down your entire infrastructure.
Speed up your patch management
The buffer IT teams used to have has shrunk dramatically. Exposed systems – firewalls, VPN gateways, remote access solutions – need to be patchable within hours, not days. That requires clear ownership, tested rollout processes, and an accurate asset inventory.
Automation helps, but full auto-patching without prior review is risky. Failed updates can take services down. The balance between speed and validation needs to be defined before an incident, not during one.
Adopt "Assume Breach" as a baseline posture
It is not a question of if, but when. Every internet-facing system will eventually be targeted. Design your security architecture accordingly: monitoring, logging, and detection need to be in place to catch active attacks – not discover them weeks later.
Pay particular attention to patched zero-days. When a critical vulnerability gets closed, the question should not be "are we safe now?" but "were we already compromised between the first exploitation and our own patch rollout?"
Stop relying on CVSS scores alone
AI models can chain together vulnerabilities that look harmless in isolation. A CVSS score of 5.0 combined with two other medium-severity findings can produce a complete attack path. Evaluate vulnerabilities in the context of your actual environment – what systems are exposed, what data sits behind them, what lateral movement would be possible.
Train your people
Technical controls only go so far when humans open attack vectors. Regular awareness training on phishing, deepfakes, and social engineering is now a baseline requirement – and it needs to go beyond the classic "don't click suspicious links" message.
AI Is Not Only a Risk
In fairness: AI is not purely a threat. The same capabilities that help attackers are available to defenders too. AI-assisted vulnerability scanning, automated monitoring, support for penetration testing, and offloading routine IT tasks are real advantages that can be put to work today.
The difference is that attackers do not need to go through approval processes, maintenance windows, or worry about operational stability. Defenders do. That is why the response to the new threat landscape needs to be structural – not just reactive.
The Bottom Line
The landscape has shifted. AI makes attacks faster, cheaper, and accessible to actors who previously lacked the technical capability. The BSI is explicit: security programmes, processes, and response mechanisms need to adapt to a significantly faster and more complex threat environment.
If your IT security still runs on the principle of "patch when there's time, monitor when there's budget", you will feel the consequences.