What changes when the attacker uses artificial intelligence

Spain’s National Cryptologic Centre has just published a guide devoted to offensive AI, the BP/36. It is not an alarmist document or science fiction, it is a serious public body acknowledging something that is already happening, that attackers use artificial intelligence in real campaigns.

It is worth reading carefully, because what it describes does not only affect government. It affects any company, yours included, because it changes one very concrete thing in the risk equation, time.

AI does not invent new attacks, it accelerates them

The most important idea in the guide is not that never-before-seen threats appear. It is that the usual ones become faster, cheaper and easier to launch at scale. Phishing, reconnaissance, the hunt for flaws, all of that already existed. AI has simply taken the brake off.

The figures the report gathers make it plain. A phishing email written with AI lands far more often than a traditional one. The reconnaissance of a victim, which used to take hours of manual work, is now automatic and constant. There are mass scans hunting for open doors at a pace no person could ever match.

According to the data the centre cites, AI-backed phishing reaches a success rate of 54 percent, against 12 percent for the usual campaigns. That is not a small improvement, it is more than quadrupling the chance that someone takes the bait.

Your reaction time shrinks

For a company, the practical consequence of all this comes down to one word, speed. Before, between a flaw being discovered and someone exploiting it there was a gap, sometimes weeks. That gap was your cushion to find out, patch and close the door.

That cushion is coming apart. The guide says it bluntly, you have to assume the window between a patch being published and someone exploiting that flaw is tiny. AI makes it possible to go from spotting an opportunity to attacking it at machine speed, with no human having to sit in front of the screen.

The line in the guide that matters most to you

Among all the document’s recommendations there is one that sums up the change in mindset better than any other. You have to assume that any vulnerability you have in production will be found first by an attacker.

Read it again, because it changes everything. It does not say it might happen, it says you should take it as a given. If you have an exposed flaw, the question is no longer whether they will find it, it is whether you will find it first. With an attacker that automates the search, arriving seconds late is arriving late for good.

What this means in practice

The answer the guide puts forward is not buying a magic defensive AI tool. It is something more sensible, going back to basics and doing them well. Knowing what you have exposed at all times, shrinking the surface an attacker can look at, patching quickly what really matters and taking for granted that at some point someone will get in.

There is also a part that fits exactly with what we do. If you have to assume an attacker will find your flaws before you do, the only way to get ahead is to find them yourselves first, with the same offensive mindset that is now powered by AI.

That a body like the centre devotes a whole guide to this is not meant to scare anyone, it is a sign that the ground has shifted. The good news is that the underlying defence is still the same as always, looking at your own security through the eyes of someone who wants to attack you, only now there is less time to do it. That is what we talked about in why auditing costs less than a breach.

---

If you want to know what an attacker would find in your systems today before they actually do, write to us at [email protected].