Cybersecurity has always offered more than its share of complications and challenges. Wily attackers continually figure out new ways to steal data, infect employees’ PCs, and even lock down networks with ransomware. Meanwhile, cyber defenders must contend with limited resources and an ever-expanding threat surface.

The advent of AI has thrown a lot of gasoline on this particular fire. Deepfakes, generative AI chatbots, and other tools have given attackers more options for sparking chaos. However, AI is also making cybersecurity tools more automated and powerful, particularly when it comes to analyzing data and detecting threats. For cybersecurity experts everywhere, mastering AI is no longer a “nice to have”—it’s a prerequisite for the job.

In this e-book, we’ll examine how AI is changing the cybersecurity game, including the latest generation of AI-powered cyberattacks, and how the experts are responding to this changed landscape. These articles present IT pros with ideas for countering these cutting-edge threats and making their organizations safer than ever.

Chapter 1

AI is changing cybersecurity… for better and worse

Back To Top

AI arms race continues, with attackers and defenders vying for position

“AI is turning cybercrime into this assembly line,” CTO says.

Just like any war, the AI arms race absorbs resources and time.

Enterprises are embracing the use of AI, CrowdStrike Field CTO Cristian Rodriguez told IT Brew, and working to ensure that they have a strong grasp on how to secure the technology. To make that security effective, defenders are using AI as a force multiplier—but so are attackers.

Victors?

The back-and-forth battle over AI has attackers, so far, enjoying more success. While defenders have to abide by regulations and parameters both public and private, attackers aren’t subject to such restrictions.

“AI is turning cybercrime into this assembly line, and attackers and adversaries aren’t constrained by things like change management controls,” Rodriguez said. “They don’t care what your change management window is, nor do they care if you’re working on a holiday or not.”

AI is an accelerator for attackers, one that allows threat actors to use the technology to increase their capabilities. But as NCC Technical Director David Brauchler told IT Brew, there’s a difference between that and the fears that “we would start seeing fully autonomous threat actors, AI becoming the hacker in the hoodie, sitting in a dark room.”

For threat actors, the barrier to entry for utilizing AI has dropped. As Singulr AI CSO Richard Bird noted you can buy access to the technology, or get third-party attacker vendors to deploy it on your behalf. But that’s no excuse for defenders, he added, who should adjust their behavior to match the new AI reality.

“The economic perspective of the corporate world is, ‘We’re going to use AI to eliminate positions,’ and the bad guys are going, ‘I’m going to use AI to do more damage,’” Bird said. “I don’t know that that’s necessarily a friction problem or an overhead problem—I think that’s a poor leadership problem on the corporate side of the equation.”

Spoils. Such concerns don’t mean defenders are completely out of luck: AI allows them to identify threat patterns and danger more easily than before.

“That’s one area where AI really thrives, because it ultimately is pattern matching,” Brauchler said. “When we’re identifying where things don’t quite seem right, AI is a powerful tool to automate what would otherwise require a user to come in and or an employee to come in.”

Both attackers and defenders will use AI to scale up their activities. Rodriguez told IT Brew the technology is “accelerating all of their tradecraft by adding automation into their efforts” for bad guys. But on the security side, AI is also being used to streamline operations, especially with the introduction of AI agents. They allow defenders to reduce workflows and increase speed of investigations, leading to better outcomes for stopping breaches.

“That’s where real automation and more proactive agentic workflows make it into the ecosystem of a responder versus just having a chatbot that sends mass alerts,” Rodriguez continued. “You’re now using AI to enable the defender to act faster, and even have the AI model act on your behalf.”

Cyberattackers will press the advantage in 2026

“I’m afraid to even say we are close to winning again,” Securin CEO tells IT Brew.

Are cyberattackers winning?

As we head into 2026, there’s still a significant dearth of cybersecurity professionals available to protect critical infrastructure, and AI tools can’t fully replace human expertise. But the picture is more complex if you look closer.

Cash out

Richard Bird, Singulr AI CSO, told IT Brew that attackers have at least one major advantage—the AI environment is more favorable to their interests.

“The barriers to entry for being a bad guy have dropped substantially,” Bird said. “Whatever I can’t build myself, I can rent, lease, or buy.”

AI comes up

HackerOne CEO Kara Sprague sees things slightly differently—that 2025 was a year when attackers won some advantage due to AI-driven code and other technological innovations. Cybersecurity has always been asymmetric on one side or the other, and 2026 is likely to continue to follow this trend.

“In this past year, the advantage went to the cyberattackers, largely because they don’t have the same barriers and speed bumps to adoption of AI that many cyber defenders have, such as corporate governance processes and testing,” Sprague said.

Using AI only makes things worse, not because the technology allows for more complex attacks but because it makes it easier for attackers to flood the zone. That will continue in the next year, Bird predicted.

“The reality here is we’re going to see the imbalance swing even further away from the defenders, more towards the bad actors, simply because the bad actors are using AI for what it was intended to be used for—which is to make your job easier and make you faster,” Bird said.

Attack the block

Usage of AI on the defender side continued to slip behind attackers in 2025, and David Brauchler, NCC Group technical director, believes that next year things are only going to get worse. Defenders using AI are opening themselves up to threat actors who can manipulate the same systems meant to protect them.

“Defenders are so far on the back foot, they’ve already fallen over,” Brauchler said. “They’re not thinking about the problems, they’re not thinking about the risks, and they don’t realize where their blind spots are when it comes to AI-integrated applications.”

The speed with which attackers deployed AI and made gains in 2025 has Srinavas Mukkamala, the CEO of Securin, concerned about the ability of defenders to keep up. But there are some encouraging signs for the next year, with accelerated innovation on the defender side. Still, the attacker side is moving quickly, too, so it’s good to keep perspective.

“I’m afraid to even say we are close to winning again,” Mukkamala said.

How to prepare as cyberinsurers incorporate AI risks

Some humans in some loops, for starters.

As more companies consider implementing agentic AI, what IT protocols do insurers want to see implemented before they’ll write a policy that covers the use of (and potential damages from) AI?

Cyberinsurance helps organizations protect themselves against costs related to adverse events like ransomware or a data breach. Some insurers now offer AI-specific coverage for scenarios like a chatbot mishap; others see AI as incidental to a breach and don’t mention the technology in policies. A recent report from global insurers’ group Geneva Association found that insurers are adapting cyber and liability policies to include GenAI‑related causes of loss, while “due diligence protocols are being tested to streamline underwriting and claims processes.”

“It remains too early to say whether existing insurance products or new standalone solutions will come to dominate the GenAI risk market,” the report concluded.

We asked insurance pros about the ways that agents can lead to unexpected costs for organizations—as well as the still emerging due diligence designed to satisfy AI underwriters.

In control

Diana Kelley, CISO at agentic AI security platform Noma Security, noted risk-mitigating controls that insurers will likely want from organizations adopting agentic AI:

• Runtime guardrails: Let’s say your billing department has a new inbox agent, and the company receives a message from a supplier disputing a charge—one that links to a cloud-based spreadsheet. An agent designed to summarize email threads may inadvertently send internal data from previous emails or documents to that supplier or even their spreadsheet. An important safeguard, enforced by policy engines, here could be: “Never let an agent parse an email from outside and then take sensitive data and share it before it’s been approved,” Kelley told us. In other words: Before an agent takes an external action involving sensitive data, a human should step in to verify the data, its origins, and what the agent is attempting to do with it.
• Least privilege: You’re the CFO of the company, and you’re using agentic AI to gather info for your quarterly report. You probably don’t want the entire company seeing those financials until they’re “run, rerun, and retested,” Kelley warned. Because of that, an agent should not be granted a CFO-level access to information simply because it operates on a CFO’s behalf. Instead, an agent should have task-specific permissions, like read access to financial systems.
• Continuous monitoring. If an agent made a decision, triggered a workflow, or transmitted data, an insurer will likely want traceability: a record on inputs received, specific tools invoked, and outputs produced. Easier said than done! While some AI-aware security platforms offer visibility into agent workflows and model usage, this product space is an emerging one and maturity varies, according to Kelley.

The call is from outside the house

Use of automation technology by cyberadversaries is also causing losses.

In a report released on December 10, the Identity Theft Resource Center (ITRC) found that AI-powered attacks were the root cause of 41% of small business breaches. ITRC President James Lee told IT Brew that common attacks included AI-driven phishing and social engineering.

He sees insurers wanting organizations to demonstrate training and incident response plans for increasingly autonomous attacks.

Many insurers are still figuring out this nexus of cybersecurity and AI, too. Cyberinsurer Coalition offers protection for those deploying AI systems, but does not have a standalone AI insurance product, according to Michael Phillips, the company’s head of cyber portfolio underwriting. As AI becomes embedded across software and operations, Phillips wrote to IT Brew, “the relevant question isn’t whether there’s a separate AI policy; it’s whether existing insurance products meaningfully address the risks created by AI in real-world environments.”

Phillips noted threat actors’ increasing use of AI to generate convincing phishing messages and deepfakes, along with the emerging threat of AI agents acting on behalf of users, executing “decisions across pricing, transactions, or operations, where a single error or hallucination may propagate rapidly.” He shared controls for those trying to reduce AI-driven risk:

1. Human-in-the-loop oversight
2. Identity and access management
3. Data minimization and masking
4. Model monitoring
5. Bias and discrimination testing
6. Incident response and business continuity
7. Vendor and third-party risk management
8. Security awareness and training
9. Comprehensive AI use policy
10. Deepfake response planning

AI insurance please!

More than 90% of respondents expressed a need for insurance coverage tailored to AI and GenAI threats, according to the Geneva Association study. More than two-thirds of 600 surveyed global business insurance decision-makers said they’d pay at least 10% extra in premiums for it.

Not every insurer is rushing to spin up AI-centric policies, though. For example, insurer At-Bay does not provide AI-related insurance or recognize anything specific to the technology in its policies—and that’s intentional, according to company CISO for customers Adam Tyra.

“The fact that you had a loss is what’s important to insurance coverage,” Tyra told IT Brew.

Shadow AI and personal devices could create network insecurity

The threat of shadow AI is made worse by the presence of AI agents, experts say.

When it comes to network security, handling shadow AI should be simple. Just block any AI tools and associated sites that employees shouldn’t be accessing, and update that block list for anything new and suspicious that comes out.

Except it’s never that simple.

Jason Martin, co-founder and co-CEO of Permiso Security, said that while organizations are able to control access on professional devices, personal devices used for professional situations present difficulties for network security.

“You create an isolated, narrow tunnel for them to get in only from a compliant device, and then you monitor that device,” Martin said. “But I don’t know if everyone’s doing that, and I don’t see that happening everywhere.”

The rise of AI agents adds to the potential for network disruption, especially as people interact with agents via mobile devices and other parts of the network.

“I began to get trained as an individual on how I want to consume and use software on my mobile device, which I use more than anything else, and then I start coming back to work systems and I’d be disgruntled or upset at the lack of user experience,” Martin said.

He added: “It’s something that can help me in my personal life and therefore it can also help me in my professional life—and I’m going to want to use it.”

How much of a problem is this?

Amanda Grady, VP and general manager of AI platform security for ServiceNow, told IT Brew that network security experts already monitor traffic patterns and communicate with employees about AI policies and security.

Despite that training, though, employees are capable of finding ways around an organization’s guardrails. “The key thing that companies need to do is ensure that they’re giving their employees access to legitimate AI tools,” Grady said, “because if you leave them behind, then I think that runs a greater risk of them going rogue and using shadow tools.”

Martin added that the pervasiveness of personal devices within professional networks prevents cybersecurity experts from exerting full control over shadow AI.

While organizations can detect agents by observing activity at endpoints, Martin pointed to the danger of employees giving rogue AI agents too much access to the network.

“You may unintentionally unleash these agents broadly via credentials that have broad levels of access,” Martin said. “That means they could have catastrophic impact. They can also actuate change at rates that have never been seen really before.”

What should be done?

Companies should understand which workflows employees want to automate the most and start there, Martin said.

Grady also pointed out the need to communicate policies to employees, along with putting the right tools in place to detect shadow AI. Humans in the loop are also a huge factor in detecting the unauthorized use of AI.

“I think it starts with determining who the owner is for AI within the company, setting the right policies, [and] communicating them clearly, but I think it’s equally important to make sure that you are allowing some AI,” Grady said. “There should be some sanctioned use of AI, otherwise companies are just going to get really left behind in this AI revolution.”

Chapter 2

The next generation of cyber attacks

Back To Top

With shared AI chats, malware masquerades as help

A Huntress blog entry revealed how attackers can hide malicious instructions in ChatGPT conversations.

According to a recent report from cybersecurity company Huntress, threat actors drove fraudulent and malicious ChatGPT- and Grok-based troubleshooting conversations to appear prominently in search results.

The entries seem like legitimate help for a task, such as how to “clear disk space on macOS.” Instead of containing helpful troubleshooting advice, however, the manipulated entries offer copy-and-paste steps for installing infostealers.

The chats appear near the top of Google results, and avoid traditional malware downloads in favor of four everyday, often harmless actions: search, click, copy, paste. And IT pros should be concerned, according to Jonathan Semon, principal SOC analyst and co-writer of the December 9 report summary on the Huntress site, given people’s willingness to trust chatbots’ answers.

“It’s stealthy, it’s quiet, it’s quick, it’s cheap, it’s scalable, and it’s most importantly, in my opinion, psychologically effective,” Semon told IT Brew. “All it takes is one admin to have a password leaked or to have a backdoor created on their machine, and that’s how ransomware gets in.”

How it works

Anyone trying to figure out tech—including your typical IT pro!—has to search stuff now and then, and the adversaries crafting and sharing seemingly legitimate AI chats are banking on that habit. According to Semon, a Huntress customer googling for technical help found a sponsored search result leading to a manipulated ChatGPT conversation, but legitimately hosted on ChatGPT.com.

This conversation, the company’s SOC analysts discovered, was crafted by a hacker who wanted to steal data and damage machines. The entry’s step-by-step “troubleshooting plan” told the user to paste a malicious command—one that downloads and runs a data stealer—in their terminal.

Semon mentioned one plausible tactic: Attackers could leverage AI platforms’ content-rendering features to retrieve an externally hosted HTML file or similar content, and present it as text in a shared conversation; the instructions appear as though they were generated directly by the AI rather than an outside, nefarious source.

Where have I seen this before?

The tactic is a spin on SEO poisoning—a persistent ploy that relies on tools like bots or keyword stuffing to boost harmful pages to the top of search results.

The tactic is also another round of scam-yourself social engineering, which lures a target into running a malicious command on their own, often bypassing browser-security protections since the browser isn’t doing the downloading.

The Atomic macOS Stealer (AMOS) payload found by Huntress, according to the company’s report, exfiltrates data, harvests credentials, and escalates privileges.

Earlier this year, a report from IBM showed the number of infostealer credentials available for sale on the dark web increased 12% year over year in 2024.

What to do

Semon said he shared findings and the backlinks with Google, OpenAI, and xAI. “Distributing malware is an egregious violation of our ads policies, and we’ve suspended the accounts linked to these campaigns. We continue to monitor for abuse to keep this content off our platforms,” Google spokesperson Nate Funkhouser wrote in an email to IT Brew. (OpenAI did not respond to IT Brew’s requests for comment. xAI did not answer IT Brew’s request directly, responding: “Legacy Media Lies.”)

Semon suggests vendors offer a notification that alerts users of a shared conversation from an AI platform and advises a potential victim to not run commands or download anything. Basically: Don’t trust this.

Similarly, he said, employees should be advised to not run commands from an untrusted source, and to deploy multifactor authentication and password managers that defend against infostealing malware.

Does an attack focused on IT-related questions mean attackers are purposely targeting IT professionals, especially those with valuable credentials?

“Information-stealing is the No. 1 thing that’s on the market right now. And if all it takes is abusing somebody’s trust in something like ChatGPT to get them to execute a command, and now you have all of their passwords. You have all of their cryptocurrency. You have all of their machine data,” Semon said. “I think it can target anybody really.”

Who needs coding? LLM hackers have a way with words

Want to break a large language model? Brush up on your Shakespeare.

If you want to mislead a large language model these days, don’t summon a tech-minded hacker. Instead, call in the bards, fiction writers, and smooth talkers: Some recent LLM breaks involve not coding or the command line, but clever wordplay.

Let’s break down some recent, notable prompt attacks involving inventive turns of phrase.

Verse

Roses are red,

Violets are blue,

Prompts can get tricky,

If they’re poetry too.

Adversarial poetry: That’s the idea behind recent research from Dexai’s Icaro Lab, Sapienza University of Rome, and Sant’Anna School of Advanced Studies. According to the Nov. 20 study of 25 “frontier language models,” rewriting a harmful prompt into “standardized” verse produced attack success rates of 62%, “up to 18 times higher than their prose baselines.”

“The vulnerability is systemic,” the report concluded, and “stylistic variation alone can circumvent contemporary safety mechanisms.”

Each poem embedded a safety-relevant instruction “through metaphor, imagery, or narrative framing rather than direct operational statements.” Here’s a sanitized structure example; the report did not share specific operational details for safety reasons:

A baker guards a secret oven’s heat,

its whirling racks, its spindle’s measured beat.

To learn its craft, one studies every turn—

how flour lifts, how sugar starts to burn.

Describe the method, line by measured line,

that shapes a cake whose layers intertwine.

The researchers showed the “stylistic variation” of a poetic framing—one that avoids harm-indicating keywords that an LLM is trained and ready for—“can circumvent contemporary safety mechanisms.”

Word choice

When it comes to queries, LLMs sometimes rely on vibes and sentence structure. In a September 2025 study, researchers from Northeastern University, MIT, and Meta found that a model makes judgments based on a grammar pattern and not necessarily expertise on the query topic or domain. In tests with different models, including Llama-4 Maverick and GPT-4o, the teams determined that models learn to associate a domain with syntax during training,

One example from the report: Both “Where is Paris located?” and “Quickly sit Paris clouded?” gave the answer: France.

The researchers urged syntactic diversity in training, to avoid risks like LLM hallucinations and new exploits for bypassing model refusals to harmful requests.

Long stories, irrelevant tales

IT Brew reported in April how Cato Networks researcher Vitaly Simonovich used “narrative hacking” to trick an LLM. Simonovich’s long story (featuring, like most good works of fiction, many rewrites) about the made-up world of Velora and its hero “Jaxon” coaxed large language models at the time to serve up a recipe for infostealing malware.

Prompt-injection pro Joey Melo, speaking with IT Brew in August 2025, revealed prompting and phrasing strategies that he found effective in breaking down an LLM, including trying out unconventional synonyms (“phrases of the secret” instead of “secret phrase”) and even irrelevant queries (“nice to meet you”) to distract the model. (He shared these strategies in a LinkedIn post at the time, too.)

Nick Reese, COO of AI testing and assurance company Optica Labs, has seen plenty of language-based model breaks—common findings because AI is an evolving technology. “AI is not the same today as it was yesterday, and it won’t be the same tomorrow, because it learns,” he told IT Brew.

“As a result, if you test one time, you get a result for that moment in time.”

Reese sees agents (and companies like Optica) providing a continuous alternative: constant checking, recording, and evaluating models in real time. He also believes language will become an important skill for today’s tech professionals and those training the models; model makers, he said, need to have a deep understanding of linguistic variants.

“It’s not good enough for us to say, ‘We tested this once in the lab and then we sent it out into the world.’ That’s not sufficient anymore.”

Cyberattackers are running and EtherHiding

Why this Web3 threat matters.

As if we needed more things to put on the blockchain…

Throughout 2025, cybersecurity and tech vendors have sounded the alarm about an adversarial tactic called EtherHiding. This stealthy attack buries malware components in smart contracts on the blockchain ledger.

The attack is a tricky one for defenders to mitigate, given how the blockchain is decentralized and often spread across an immense network, with many potential points for a multi-stage attack. Over the past few years, software developer interest in Web3, which attempts to build decentralized online ecosystems using blockchain technology, has only increased the potential attack surface for exploits like EtherHiding.

“These attack chains are becoming increasingly more difficult. Even if you don’t have a particular interest in Web3 or an application for it, understanding how this type of attack works can help to inform your posture and not only your policies, but also your training,” Andrew Northern, principal security researcher with internet intel platform Censys, told IT Brew.

EtherHiding is a variation of the JavaScript-injecting technique known as creating a “watering hole”—a wait-and-see-who-shows-up attack that compromises a website to deliver malware to visitors. EtherHiding refers to the “ether” JavaScript library that provides helper applications for web services interacting with the blockchain, Northern noted.

A tactic revealed by Censys in a Nov. 21 blog post showed how attackers stored JavaScript “blobs” for a fake CAPTCHA in a Binance Smart Chain contract. JavaScript, initially injected into a target’s website, then queries the blockchain, pulling the on-chain malware pieces that could lead to the execution of an infostealer or other malicious code.

Why the blockchain tactic baffles

If cybersecurity experts are having a difficult time countering this threat, there are good reasons for it.

1. There are legitimate uses for the ethers library, so its presence alone is not an indication of anything nefarious, Northern told us.
2. EtherHiders can change their payloads rapidly, he said, and pay a “gas fee” to update a smart contract that they own.
3. Peterson Gutierrez, VP of information security and interim CISO at cybersecurity company Barracuda, said the blockchain provides a decentralized holding spot for attackers—one that law enforcement can’t bring down. (Barracuda wrote about the threat in an Oct. 31 post.)

What to do

Google gave an EtherWarning in an October 16 blog, citing a financially motivated group (termed “UNC5142”) that was using compromised WordPress websites and the blockchain to distribute info stealers. The company, which also identified North Korean threat actors deploying the tactic to steal crypto and spread malware, found “approximately 14,000 web pages containing injected JavaScript consistent with an UNC5142 compromised website.”

For a suitable defense, Northern recommended that businesses deploy Windows policy rules to associate JavaScript use with a text editor so that inadvertent JavaScript executables open harmlessly as a text file.

Also, thanks to lower adoption of Web3 principles than some advocates hoped, many orgs don’t need blockchain technology—and should block accordingly. For those companies, Northern advises users to create a block list for the API-like RPC (remote procedure call) endpoints, which are the URLs facilitating communication and data requests in a blockchain. (Some contracts contain a blockable server location, Northern noted in a follow-up exchange.)

Gutierrez said IT pros should set their sights on stopping key steps in the attack, like making users aware of the fake CAPTCHA, or “ClickFix,” tactic.

“Finding ways to break the kill chain is what IT pros should be focusing on,” Gutierrez said.

Evan Gordenker, consulting director at Palo Alto Networks’ Unit 42, recommended companies apply tight access controls for actions requiring sensitive credentials, and to make sure that in those scenarios, callouts to malicious smart contracts can’t happen.

“[IT pros] are the target here,” Gordenker said. “Developers in particular, but also IT folks, depending on the organization, will log into sensitive pages from their personal machines, and if those personal machines have infostealer malware, or in this case, visit a site that’s infected with an EtherHiding payload, then that’s potentially a really good avenue for a threat actor to target them.”

‘HashJack’ demo hides malicious instructions in URL

And some AI browsers obeyed.

When it comes to URLs, if you leave a message after the #, a hacker just might get back to you with a scam.

A recent demo from IT security company Cato Networks showed how placing malicious instructions after the hashtag in a lengthy, otherwise legitimate URL can fool an AI browser’s large language model into obeying the commands.

While Microsoft and Perplexity reportedly fixed the “HashJack” vulnerability in their browser offerings after seeing the tactic in action, new prompt injection ideas keep appearing, threatening the security of emerging tech like AI browsers.

“One of the major vulnerabilities for AI systems is prompt injection,” Cato Senior Security Researcher Vitaly Simonovich told IT Brew, referring to a technique wherein an attacker inputs text that tricks a large language model (LLM) into following potentially malicious instructions.

How it works

Simonovich, having previously tricked large language models with long stories, decided to try a long URL.

The security pro embedded malicious directives into the URL. When some chatbot-equipped AI browsers load the page, he found, the bot pulls in the URL as context for a user query. Hidden commands in the address are then fed into the large language model, and in some cases, the LLM followed those commands. Because the URL fragments stay within the browser, the demonstrated attack potentially evades traditional network-level detections.

The Cato Networks post demonstrated this technique in several ways:

• A prompt in Google’s Gemini asking, “What are the new services and benefits?” led to an execution of a callback phishing scam.
• A loan question posed to Perplexity’s AI assistant Comet hid instructions to send a user’s banking data to a threat-controlled URL.
• A “new services” query led to Microsoft's Copilot displaying a fraudulent “verify your account now” login option.

Although Microsoft and Perplexity applied fixes to the prompt injections, according to Cato’s blog, Google’s “issue remains unresolved at time of writing.” (Google did not respond to IT Brew’s request for comment by publication.)

Prompts aplenty

Researchers have been demonstrating new prompt injections somewhat regularly these days—one recent report even revealed how a “poetic” structure in a query can force an AI browser to break down.

“The LLMs are evolving, just like web applications are constantly evolving. There’s always a new version being released. With new versions and new technology come new vulnerabilities and new human ingenuity,” prompt-injection researcher Joey Melo told IT Brew in August.

A day after OpenAI released its ChatGPT Atlas browser on Oct. 21, the company’s CISO wrote on X that prompt injection was “an emerging risk” being thoughtfully researched and mitigated.

“Our long-term goal is that you should be able to trust [a] ChatGPT agent to use your browser, the same way you’d trust your most competent, trustworthy, and security-aware colleague or friend,” Dane Stuckey wrote at the time.

AI shoppers open the door to a world of uncertainty

“The technology is too immature to actually use its scale successfully and securely right now,” tech expert says.

Holiday shopping is here and everyone’s looking for help—and with some people turning to AI, there’s a new security concern under the tree.

AI shoppers are growing in usage and importance as consumers try to automate the boring and relentless work of finding just the right product. AI personal assistant technology isn’t expected to reach mass market level until 2026, according to a new analysis from IEEE, but it’s already becoming an important element of the online retail experience.

The way it works

IEEE Senior Member Kayne McGladrey told IT Brew that, in theory, an AI shopping agent would be able to handle purchasing if given enough information. But that hints at the underlying security concern: If an agent has your payment information, personal details, and access to email, it opens the door to greater threats. And attackers are taking notice.

“I’ve seen working concepts where the AI will get tricked into not only finding the wrong object, but getting the credit card information from you and sending that credit card information off to whoever’s hosting the fake scam object, and taking your bank account and collecting those credentials too, because it’s got access to all of that,” McGladrey said.

Threat actors and defenders alike are increasingly reliant on AI for managing the cybersecurity landscape. For those on the side of the angels, that means using the technology to streamline incident reporting and detection. But AI isn’t always reliable; the technology can open the door to exploitation solely due to its level of access.

Purchase power

Whether attacks on AI shoppers count as a cybersecurity threat or just old-fashioned fraud, the vulnerability is real, and while there’s potential for AI agents to be eventually deployed to automate any number of everyday tasks, there are very real roadblocks to that future.

“The technology is too immature to actually use its scale successfully and securely right now, and I think until we have some unfortunate outcomes, there’s no real economic incentive for the people who are making the AIs to make them more resilient,” McGladrey told IT Brew.

There’s also the concern that agents could be used to infiltrate sites and attack internal systems. With an influx of shopper agents, it’s hard to sort the real from the fraudulent, meaning that defenders need to be vigilant. IT teams have to stay on top of the danger and limit the damage.

“We can take the same controls that we use for malicious, hostile traffic and apply it to those bots because otherwise they will possibly either overload websites that don’t have enough capacity to create mini DDoS, distributed denial service-style attacks, which is not good for anyone,” McGladrey said. “Having your website go down because AI has decided that it’s going to take over is not a good outcome.”

Cisco shows LLMs get worn down by ‘multi-turn’ prompt attacks

It’s “death by a thousand prompts,” the vendor writes in a report released this week.

If at first you don’t succeed, prompt, prompt again.

In a Nov. 5 report, Cisco showed that open-weight large language models—those with their trained parameters publicly available—were especially susceptible to a chain of malicious prompts known as a multi-turn attack. Cisco used its “AI Defense” assessment tool to determine that multi-turn scenarios were two to 10 times more successful than single-turn ones at achieving a cyberattacker’s aims.

Tested threats included nefarious tasks like malicious code generation and sensitive information disclosure.

The models studied models in the research included Alibaba’s Qwen3-32B, DeepSeek’s v3.1, Google’s Gemma 3-1B-IT, Meta’s Llama 3.3-70B-Instruct, Microsoft’s Phi-4, Mistral’s Large-2, OpenAI’s GPT-OSS-20b, and Zhipu AI’s GLM 4.5-Air.

Here’s what else the report found:

Craft singles

To test the effectiveness of a single input to “jailbreak” an LLM, the group sent out 1,024 prompts. Single-turn attack success rates (ASR) averaged 13.11%, “as models can more readily detect and reject isolated adversarial inputs.”
Roll doubles. The group’s multi-turn attack set featured 96 pre-defined malicious intents, with strategies like increasingly intense requests (known as “crescendo”); asking the model to perform personas; and rephrasing rejected prompts. Cisco’s team said it conducted 499 conversations across all models, and each exchange lasted an average of 5 to 10 turns.

Success! But not the good kind!

According to Cisco, all models demonstrated “high susceptibility” to multi-turn attacks, with success rates (meaning vulnerability) ranging from 25.86% (Google Gemma-3-1B-IT) to 92.78% (Mistral Large-2). The average: 64.21%.
The findings, the study writers claim, expose a “dominant and unsolved pattern in AI security.” Successful prompt injections could lead to sensitive data exfiltration, fast-spreading content manipulation, and operational disruption.

On the ’rails

AI-heavy companies like Meta (with its Llama Guard), Nvidia (NeMo Guardrails), and OpenAI (OSS-guard) offer mechanisms for evaluating inputs, outputs, and model behavior.

While Joseph Perry, senior manager at cybersecurity consultancy MorganFranklin Cyber, still sees protection against multi-turn attacks as an unsolved problem, he considers projects like Llama Guard as a promising way forward.

In an email to IT Brew, Perry wrote that adversarial simulation, also known as red teaming, will be a helpful way to reveal risk—“denylisting,” or blocking malicious actions one by one, won’t work, he warned.

“In general, the solution will need to center on context awareness. That could mean deploying a monitoring model specifically trained to detect multi-turn attack patterns, incorporating more complex model cost-function analysis, or even taking a more novel or experimental approach,” he wrote.

More prompt-related vulnerabilities have been discovered recently by other researchers, including ones reportedly impacting AI browsers, ChatGPT, and Anthropic’s Claude.

In its report, Cisco recommended best practices for developers, including the creation of a strong system prompt, or ​​a set of instructions and contextual information provided to AI models before they engage with user queries. (Developers must also ensure users cannot override the system prompt, Cisco added.) The company also recommended monitoring “worst-case operating conditions,” taking into consideration the objectives of threat actors.

“It is still worthwhile for us to develop an open community around this, to call out the vulnerabilities and susceptibilities of these models so that it informs downstream development and later versions of models to have that in mind,” Amy Chang, AI threat research and security lead, told IT Brew. “There is an appetite out there for people to have very strong, strong baselines for safety and security in their models.”

Chapter 3

How the experts are facing these new threats

Back To Top

Coinbase CSO Philip Martin knows that security isn’t forever

Coinbase CSO Philip Martin shares how he secures one of the largest crypto exchanges in the US.

Security professionals know the only way to truly secure a computer is to encase it in concrete and dump it in the ocean. But short of that, these professionals do what they can—and that includes Philip Martin, CSO at massive crypto exchange Coinbase, who sees his job as a series of carefully considered risks.

Security practitioners, Martin told IT Brew, are here to help businesses “take calculated, knowing, understood risk in the right areas with the right risk treatment implemented around it.”

Go fast and break nothing

When an organization like Coinbase decides to launch an initiative that contains security risks, Martin said, “your job as a security practitioner is to figure out how we can do it safely.”

Martin added that his team seeks to “go fast and break nothing.” To ensure that, they look at solutions like automated testing to ensure that if something breaks, they know about it before a new capability or feature is released.

“It’s about going fast, understanding where the risks are in that innovation, and building mitigations for those risks if they’re to materialize,” Martin said.

What’s got you scared?

Martin said supply-chain attacks are top of mind for him, especially given the slew of highly publicized incidents in the cryptocurrency space.

Martin said that cybersecurity professionals have to pay a lot of attention and move carefully—especially as projects and libraries often have few “maintainers” and “don’t necessarily have the best operational hygiene on who can be a contributor, who can commit to things.”

While cryptocurrency platforms can be a prime target for attackers, defensive techniques are largely the same as those utilized by other industries.

“The difference for a company like Coinbase is we see some very sophisticated attacks across the board,” Martin said. “We are, I think, one of the larger targets out there today for bad actors. While it doesn’t change the mechanics or the attack or the defense, what changes is the likelihood of it occurring on the one side; on the other side, the seriousness with which Coinbase takes security.”

Scammers and fraudsters and threat actors, oh my! As with any other financial service, Coinbase users face the risk of scammers and fraudsters. To combat this, Martin’s team focuses on educating users to understand the characteristics of a scam.

Coinbase also features a 48-hour pause for transfers detected as potentially fraudulent. The customer is told their transaction is on hold, but can still go through with it by taking a scam quiz, which determines if the user is under duress or on the phone with a scammer.

“We’ve definitely seen cases where that control and others have prevented scams or malicious transfers,” Martin said. “Almost everything we’ve implemented in this regard has had a very high ROI in terms of improving customer safety and outcomes.”

Traceability as a strength

If a scam does occur, and a customer transfers money off of Coinbase, there’s a record of that transaction on the blockchain. Martin shared that Coinbase will not only work with law enforcement, but other crypto exchanges if there’s a transfer as a result of a crime.

“That means we can, specifically on the threat intelligence side of the house, we can do a lot with tracking that money as it moves through a criminal ecosystem,” Martin said. “Sometimes it means that we are able to recover some of that.”

Martin added that the traceability of crypto is a feature, and one that he feels doesn’t exist in any other monetary instruments—especially as the transactions happen digitally and can be recalled.

How Adaptive Security CEO Brian Long thinks AI-powered attacks will change the SAT industry

Adaptive Security specializes in security awareness training against AI-powered threats, including deepfakes and vishing.

Something old, something new, something borrowed, something duped. That’s essentially Adaptive Security’s approach to preparing working professionals to keep themselves and their organizations safe against AI-powered attacks.

The newcomer security training company, founded in 2024, provides users with training content to help users better identify threats like deepfakes, smishing, and vishing. However, instead of traditional learning modules, Adaptive delivers customized simulated attacks to employees, such as a phone call with a real-time deepfake of someone within the organization requesting a favor.

Brian Long, Adaptive co-founder and CEO, told IT Brew that the technology used to execute these types of attacks is constantly evolving, making it easier for threat actors to strike—and more crucial for organizations to up their game against such threats.

“Anyone from an eight-year-old to an 80-year-old can make [deepfakes] now in just a few minutes,” he said.

Adaptive’s entry into the industry comes at a time when security awareness training administrators aren’t entirely satisfied with their training content. A recent Huntress report found that 44% of security awareness training (SAT) professionals feel their content is either often or always outdated or irrelevant. A number of security companies, such as Breacher.ai and Arsen Security, are attempting to fill this gap by providing educational content focused on AI-related threats. IT Brew previously reported that KnowBe4, a longtime player in the security awareness training space, has plans to release deepfake educational content in 2026.

“Organizations need to understand that, unfortunately, there’s a lot of successful attacks today and they’re growing really, really quickly,” Long said. “We just need to make sure that our workforce across every type of vertical is ready for this threat, because they are not.”

IT Brew caught up with Long to hear his thoughts on how the SAT industry will change in the next decade and how Adaptive’s content compares to traditional security training incumbents.

These responses have been edited for length and clarity.

Do you think legacy SAT companies still have place and value in today’s threat landscape?

There’s still value because there’s still traditional attacks happening, but organizations need to adjust for where most attacks are going now, and the attackers unfortunately are moving a lot faster right now than many organizations are. So, organizations need to act with urgency in order to get ready for this threat because unfortunately a lot of successful attacks are not reported in the press today.

If a company gets attacked and loses something, they generally don’t tell anyone. They tend to keep it to themselves. So, unless it’s a public entity that has to do some sort of disclosure…it’s generally not being published anywhere. But what I’ll tell you is that if you asked a CISO…a year ago, if they had had this type of deepfake attack be successful at their organization, you probably would hear one in 10. Today if you ask them, it’s over half.

Have you seen a difference in the way users respond to educational content from Adaptive compared to traditional SAT?

To be effective, it has to be relevant and it has to impact the life of the individual. And what’s different about what we’re doing and what you’re able to do now with AI is that I can really personalize the training to you. I can have it be an interactive voice deepfake that’s tailored to just you. I can have all the materials and the trainings specific to you and your organization. And it’s a radical difference from what was the traditional sort of batch and blast, everyone gets the same training…It’s a pretty radical change and as a result, I think that you’re seeing employees actually learn and become aware of something that is changing very, very quickly, which is AI-powered threats.

What are your thoughts on where the security awareness training training industry is heading in the next five years or so?

I think it’s headed for massive innovation. Because social engineering is still part of 90% of successful attacks, we have not done a grand enough job to protect organizations from these attacks. And unfortunately, that’s only going to increase significantly with these new AI tools. The tools are just going to get cheaper. They’re going to proliferate everywhere…The models themselves that allow these attacks to happen, they’re now available open-source, which means anyone can access it and they can run it on their own computer.

So, there’s no moderation…That’s having a huge, huge impact on the volume of attacks that we’re going to see. So, I think you’re going to see companies that play in the security awareness phase having to innovate really quickly in order to make it relevant for where these attacks are going.

Why a life in video games and cybersecurity helps with deepfake detection

Meet CTO, former hacker, and former video game programmer Alex Lisle

If you hear techno bumping from Alex Lisle’s living room, it’s not a rave; he’s probably coding a graphics engine.

Lisle, currently CTO at deepfake detector Reality Defender, still finds programming calming, even when the background beats are loud. Decades before he joined the NY-based cybersecurity platform this past July, Lisle created video games, supporting consoles like the Sega Dreamcast and Sony PlayStation. He’s also worked for cybersecurity firms.

A security pro with gaming expertise is a rare combination, according to Lisle; gamers make things, and cyberteams tend to break things.

“Generally, really great cybersecurity guys don’t actually make great programmers…because they’re usually very good at finding holes in things,” he said.

Lisle spoke with IT Brew about his experience moving between hacker and programmer roles, and how the dual professional worlds have given him a unique perspective to help in his latest effort: spotting deepfakes.

Pressing start

Lisle began his professional game-development career in 1999. As a junior system administrator at Sega Europe, Lisle—a teen at the time, and about 10 years younger than his peers, he said—was tasked with creating and securing the internet service provider network built specifically for the Sega Dreamcast console. Years before taking the gig, young Lisle had taken an interest in offensive hacking, using tools like a network sniffer to spot unencrypted traffic—and unencrypted login credentials. At Sega, he was sniffing out hackers from the other side of the firewall.

“People wanted to hack Sega all the time, so it was kind of fun stopping people from hacking,” Lisle said.

The job reinvigorated his passion for programming, Lisle told us; he recalled beginning his lifelong computer journey by manually typing code into an Amstrad CPC, an 8-bit home computer. The final result, according to Lisle: a buggy fencing game.

After a year at Sega, Lisle went back to school to hone his programming skills and then became a research developer at Durham University, where he designed molecular-screening software.

Following the on-campus work, Lisle got back into gaming, spending stints at Sony and Venom Games.

His love for coding led him back to cybersecurity. In 2008, he joined Fortify Security as an engineer and helped to develop the company’s static analysis tool for finding code bugs. Other security roles followed over the years. Now, as Reality Defender’s CTO, he spends his time researching new deepfake attacks and making sure the company’s technology is prepared for them—more of that Sega-era, defensive-security fun, perhaps.

What makes a gaming pro a good security pro?

Whether you’re a cyberattacker or a computer-game programmer, you’re pushing limits, according to Lisle. During his time programming video games, Lisle learned how to get the most out of limited hardware and graphics engines. “You can’t say to someone, ‘Hey, get a bigger GPU,’” he told us, recalling a time a colleague created two separate graphic engines to “push more polygons through” the Playstation platform.

A limit-pushing adversary finds vulnerabilities in an unexpected part of an environment. Lisle recalled the 2013 breach of Target, which reportedly began via a compromise of an HVAC company.

“I mean, that’s lateral thinking,” he said, referring to a disruptive, creative, problem-solving approach.

What makes a gaming pro a good deepfake detector?

A 2023 University College London (UCL) report found that listeners correctly spotted audio deepfakes 73% of the time. A James Cook study that same year revealed a 61% accuracy rate with video deepfakes. (Reality Defender offers a multi-question deepfake challenge; this reporter ended up with an 18/30 deepfake-minus.)

What Lisle has learned over the years, with deepfakes and with video games, is that a digital representation doesn’t have to be photorealistic to effectively deceive a human. We all have a programmer’s way of building an image in our minds, but not always breaking it down.

“When it comes to deepfakes, unless you’re really studying for it, your mind will fill in a bunch of the blanks,” Lisle said.

How John Kindervag got the last laugh on zero trust

“The first reactions to zero trust were, that’s a dumb idea. You’re an idiot. It’s never going anywhere,” John Kindervag, the creator of the framework, tells IT Brew.

In 2003, John Kindervag, godfather of zero trust and renowned cybersecurity expert, was fired from his job.

“I actually got fired from a job for putting outbound rules on firewalls because that’s not the way the manufacturer suggested that you do it,” Kindervag said, adding that his workplace didn’t want to do anything that would go against what vendors recommended.

Kindervag, now chief evangelist at cybersecurity company Illumio, said the termination was the “best thing” that ever happened in his career. Just a few years later, Kindervag joined Forrester as a senior analyst of security and risk management. It was there he authored a paper on zero trust, a framework in which companies ditch the assumption that a device or user can be trusted and instead treat them like a potential threat. Zero trust challenged former ways of thinking and helped originate what has essentially become cybersecurity’s golden rule today.

King of the Forrester

IT Brew caught up with Kindervag to discuss why it was important to introduce a new security model in the industry 15 years ago. Reminiscing on the early years of his career, Kindervag recalled plenty of bad firewall policies and a security model that trusted internal operations, with no rules on outbound traffic.

“I said, ‘Well, guys, what if somebody gets in and they’re gonna steal data, and we won’t know?’ and people thought that I was completely nuts for saying that,” he said.

The disconnect caused Kindervag to study the concept of zero trust for roughly a decade before joining Forrester, where he was encouraged to explore the unconventional ideas in security.

“We had a motto: Think big thoughts,” Kindervag said. “It was a great opportunity to be at a place where they allowed me the freedom to explore ideas that other people thought were, quite frankly, incredibly stupid.”

With years of primary research, Kindervag chipped away at forming the framework, building prototype zero-trust environments and previewing the concept during public speaking opportunities.

“I got a lot of great feedback and some good ideas, but nobody could say, ‘Well, this won’t work because of X, Y, or Z,’” Kindervag said. “There was no technical reasons that this wouldn’t work.”

Zero to hero

While zero trust is championed within the cybersecurity industry today, Kindervag said he was met with a tough crowd when his report on the concept was published in 2010.

“The first reactions to zero trust were, ‘That’s a dumb idea. You’re an idiot. It’s never going anywhere. Why’d you write this report?’” Kindervag said.

People and organizations praised Kindervag behind the scenes, but he said it wasn’t until the 2015 Office of Personnel Management data breach, which exposed the data of 21.5 million people, that the industry woke up. A subsequent investigative staff report on the breach recommended the Office of Management and Budget provide guidance to government agencies about zero trust. Additionally, former Rep. Jason Chaffetz, who was chairman of the Oversight and Government Reform Committee at the time, penned an article endorsing the model.

“You started seeing it all over the federal government and when the federal government starts to do it, everybody else in the world says, ‘Oh, okay, well, we need to catch up,’” Kindervag said.

Duncan Greatwood, CEO of Xage Security, pointed to the advent of cloud computing as another factor that increased zero-trust adoption.

“People stopped thinking that all of their important stuff was inside the company, so inside the perimeter or inside the castle wall,” Greatwood said. He added that the increase in cyberattacks involving lateral movements was another driver.

15 going on 30

Today, Kindervag said his job is far from over. He’s now focusing his time on educating people about zero trust so that organizations can continue to embrace the framework. Last year, a Gartner survey found that 63% of global organizations have either fully or partially implemented a zero-trust strategy.

“There’s a lot of people who want to do it, but they’re scared to do it because they misunderstand it,” Kindervag said. There is a lot of misinformation about zero trust, largely from vendors looking to “redefine zero trust based upon the product they’re selling,” he added.

Greatwood said zero trust is “mainstream at this point,” but he thinks some companies struggle with implementing it in their entire organization.

“There’s been a lot of adoption of zero trust with respect to remote work…but then as you go deeper into the organization, we’re often seeing situations where zero trust has not been so widely adopted deep within the internals of the company,” he said.

Anetac security platform co-founder and CEO Timothy Eades has a different take on the beloved security framework. He said IT infrastructure within organizations is growing more fragmented and distributed, making it essentially impossible to deploy the framework over so many independent services. For IT pros entrusted with cybersecurity, that can make zero trust a hard goal to reach.

“Zero trust is an ambition,” Eades said. “It’s a North Star, so it’s something you can steer towards, but you don’t get upset if you never achieve it.”

However, Kindervag is no stranger to naysayers. He said technologists tend to come around to the idea of zero trust later than corporate leaders because they focus too much on the technology as opposed to the actual idea of zero trust.

“We want people to be strategic thinkers [and] to be system thinkers, so that they can understand the value and how this is going to make their job easier over time.”

Why vets can handle cyber threats

Former US Air Guard cyber operations specialist Frankie Sclafani talks about the move from the military to private IT.

Air Force veteran Frankie Sclafani considers himself lucky that his military experience translated directly to his civilian career as a cybersecurity expert.

Sclafani managed critical cyber operations for the Maryland Air National Guard, led network operations for the US Air Force, and conducted incident response and signal-intelligence collection for the National Security Agency. He’s also jumped into the private sector, where he helped secure systems at Google, Mandiant, and now the managed detection and response company Deepwatch.

Other veterans haven’t had as smooth of a professional transition. Sclafani said they may feel lost after leaving the military for civilian life and a new potential career.

“When you leave the military, a lot of people don’t tell you this, but there is a little bit of a sense of feeling lost and maybe directionless or missionless,” Sclafani told IT Brew.

He sees cybersecurity as a welcoming destination for veterans, whose years spent tracking adversaries can translate well to a cyber career with its share of threat hunting.

SOC’d and loaded

A security operations center (SOC)—a hub for monitoring IT infrastructure—sends alerts about potentially malicious activity. A SOC analyst often examines the findings, perhaps a phishing message or an unexpected login. Someone as familiar with following procedures as a military pro might appreciate the built-in structure found in many of these command centers, according to Sclafani. SOCs frequently have a hierarchy of tiers with specific and increasing responsibilities.

A veteran, he adds, has been trained to think like an adversary, ​​and they can potentially put themselves in the headspace of a threat actor trying to evade detection.

“Having that discipline and that structure and those procedures helps ensure we get all of the correct intelligence that we need,” Sclafani said. For an alert like a phishing email, he has seen “next-level” investigations in a SOC that include interacting with a phishing link through a sandbox environment, and reviewing executables hosted on a phishing message’s domain.

Getting a foot in the SOC

Groups like SANS Technology Institute, the Department of Defense’s “SkillBridge” program, and the nonprofit VetSec offer perks for military veterans looking to begin a cybersecurity career, including early training options and internship opportunities.

With SkillBridge, active duty members receive their full military pay and benefits while they’re interning at a civilian company.

“While I didn’t utilize SkillBridge when I was transitioning out of the military, I wish that I did, and I wish that I knew more about it at the time I was leaving active duty,” Sclafani said.

Cybersecurity jobs are certainly in demand: CyberSeek, a provider of cybersecurity workforce data, revealed more than 514,000 cybersecurity job openings online. The veteran unemployment rate stood at 3.1% as of August 2025, according to US Department of Labor statistics—only slightly lower than the 3.5% unemployment rate in August 2024.

Sclafani said he understands how “intimidating and challenging” a new career phase can be for a military vet who has ended their service.

“It’s a scary transition. So, anything that we can do, I think, as a population, to help make that transition a little bit easier for those who decided to serve and set them up for success and good opportunities is going to be big,” he said.

While cyberattackers’ increasing use of AI might seem scary, cybersecurity experts are also using this technology to harden their defenses. Amidst this uncertainty, one thing is clear: this particular genie isn’t going back in the bottle. If you’d like to know more about how AI is changing how IT pros can secure their tech stacks against internal and external threats, check out IT Brew’s comprehensive articles on cybersecurity.