Key takeaways
- Attack window collapsed to 22 seconds. The time frame for getting from initial access to adversary handoff has reduced from eight hours to 22 seconds.
The time frame between access and handoff has reduced significantly. Historically, when attackers gained access to a network they would often take several hours to start spreading laterally. They also usually took some time to establish command and control channels. Today, most adversaries are able to accomplish all of this in under 20 seconds.
- Traditional security workflows are post-mortem. Given the extremely short time frames involved today, most organizations' traditional security workflow processes are essentially post-mortem. Therefore, to actually achieve security results, intelligence must be tied into active workflows in near-real-time.
Adversaries have developed mature agentic AI operations. While many CISOs are still considering whether or not to adopt AI technologies, adversaries have already developed and are actively using mature agentic AI-based operations.
AI agents automate ransomware data analysis and reconnaissance. Researchers from Trend Micro presented "VibeCrime," which demonstrated how modern agentic AI-based systems are now capable of automating ransomware data analysis and reconnaissance. These systems quickly review terabytes of exfiltrated data and select out only the most valuable files for extorting money from victims.
Manually routing intelligence creates a critical bottleneck. Target provided evidence of another significant issue in Cyber Threat Intelligence (CTI): the disconnect between the teams producing intelligence and those acting upon that intelligence. In too many organizations, intelligence is manually routed through static reports or ticketing systems. This creates a bottleneck right when speed is the most important factor.
Automating the handoff process is essential for unified threat intelligence management. Cybersecurity experts agree that to bridge the gap between Cyber Threat Intelligence and incident response teams, automation is required. Cyware provides a solution with the Intelligence Suite that normalizes threat data from over 400 integrations, ties it together, and delivers it into the security tools used by each organization. As a result, analysts spend less time routing data and more time engaging with threats.
Automated sharing infrastructure is required for meaningful collective defense. Several leaders from different ISACs (Information Sharing & Analysis Centers) emphasized the two largest obstacles to intelligence sharing: legal issues relating to the sharing of threat data and format compatibility issues. Technical architectures must support automated sharing solutions to overcome the policy barriers.
The UAE's "Crystal Ball" initiative demonstrates automated threat data exchange across borders. One example of an initiative demonstrating an automated method for exchanging threat data across borders is the UAE's "Crystal Ball". Cyware Collaborate enables organizations to collaborate and co-author advisories and develop coordinated responses to crises in near-real-time.
AI agents create new attack surfaces. Microsoft's Vasu Jakkal forecasted that there will be over 1.3 billion AI agents in operation by 2028. The advent of AI agents dramatically changes the attack surface. Once it was primarily made up of static endpoint devices; today it consists of dynamic, machine-created entities.
Threat intelligence must expand to include attacks directed against AI models. Because AI agents are becoming integral to business functions, threat intelligence must begin expanding to include attacks targeted against AI models themselves. During RSAC, examples of adversarial machine learning techniques were discussed, including model poisoning, where attackers alter the logic of an AI agent, and prompt injection, where attackers inject malicious prompts into an AI agent so as to elicit certain outputs. Additionally, attackers may seek to steal an AI agent's training data or utilize API keys or model weights for illicit purposes. Intelligence must be both structurally organized and constantly refreshed in order to successfully identify these emerging threats related to AI security.
Conclusion
RSAC 2026 reinforced that the greatest barrier facing security teams is not the quality of detection capabilities but rather speed-to-action. Improved detection capabilities are meaningless unless accompanied by faster operationalization mechanisms.
Cyware's threat intelligence platform is designed specifically for this purpose: unify threat intelligence management processes, facilitate large-scale collective defense, and provide AI-powered workflows that enable teams to turn threat data into active defenses.
Frequently asked questions
Can threat intelligence teams measure whether their data is being operationalized quickly enough?
Yes, through Mean Time to Action (MTTA). MTTA is defined as the number of seconds from the ingestion of an indicator until it is deployed as a block rule within a firewall or endpoint detection & response system. For any successful program, MTTA should approximate the attacker's window.
What prerequisites should be met before implementing agentic AI into your organization's threat intelligence workflow?
Firstly, you need a unified data foundation. Any type of AI agent relies upon clean, normalized data from multiple sources to function correctly. Organizations must first implement a platform that can normalize multiple feeds prior to adding AI orchestration capabilities.
What structural obstacles most impede effective collective defense through shared threat intelligence?
The two most significant structural barriers are technical incompatibilities (such as differing data formats) and legal hurdles (e.g., compliance with local laws governing the handling and disclosure of sensitive data).
What changes should security teams make to their current CTI programs now that AI agents are becoming increasingly common?
Security teams need to transition from focusing on static indicators to analyzing behavioral patterns (TTPs). Because AI agents can generate unique indicators at scale, identifying the underlying behavior is the only way to maintain proactive defensive mechanisms.
