PointWire
Book a Demo

AI is changing cyber attacks. The basics still decide if you get breached.

PointWire > Blog > Artifical Intelligence > AI is changing cyber attacks. The basics still decide if you get breached.

In security, we have a habit of chasing the new and overlooking the fundamentals. That instinct becomes even more dangerous in the age of AI. Every week brings a new model, a new attack technique, or a new category of tooling. Boards are asking about AI risk. Vendors are rebranding everything with an AI label. Security teams are under pressure to respond, often quickly and visibly.

But the uncomfortable reality is that most organisations are still being compromised in very traditional ways.

Phishing still works. Unpatched systems still get exploited. Excessive privileges still get abused. Forgotten software lingers on endpoints and servers long after anyone remembers why it was installed. Attackers are not abandoning these methods. They are scaling them with AI.

That shift matters. AI does not replace attacker tradecraft. It amplifies it. It lowers the cost of reconnaissance, speeds up exploit development, and improves social engineering. What once required time and skill can now be done faster, cheaper, and at scale.

This is exactly why getting the basics right matters more than ever.

The widening gap

The balance is shifting further in the attackers’ favour. Attackers are using AI to increase speed and volume. Defenders, meanwhile, often respond by adding more tools, more alerts, and more complexity. The result is a widening operational gap. Security teams become overwhelmed while adversaries become more efficient.

Closing that gap does not start with more tooling. It starts with reducing the attack surface and tightening control over what can happen in your environment.

Accelerated patching, application allowlisting, identity controls, and software hygiene remain some of the most effective levers. Together, they give organisations a fighting chance.

The UK’s NCSC posted guidance back in 2021 that speaks to the basics of Cyber Security. These 10 steps are even more important now than every before.

Patching is necessary but not sufficient

Most organisations that I speak to understand the importance of patching. Few execute it well. Even in mature environments, patch cycles stretch into weeks or months. Exceptions accumulate. Legacy systems linger. Internet-facing assets get missed.

Meanwhile, exploit code is now generated, refined, and shared faster than ever. AI is accelerating the time between vulnerability disclosure and active exploitation. That window is shrinking.

So yes, patching needs to be faster. Prioritisation needs to be sharper. Asset visibility needs to be accurate. But even if you improve all of that, patching alone will not save you. There will always be a gap between vulnerability disclosure and remediation and that gap is where attackers live.

Remove what you do not need

Another fundamental that often gets overlooked is removing obsolete and unused software. This is not housekeeping. It is risk reduction.

Unused applications, stale utilities, old browser plug-ins, IDE extensions, abandoned admin tools, and obsolete services all expand the attack surface. They create more places for vulnerabilities to hide, more software to patch, and more opportunities for attackers to exploit something forgotten.

In practice, software sprawl creates risk in several ways:

 

    • Old software may no longer receive updates

    • Unused tools can still be exploited if they remain installed

    • Every additional application increases the likelihood of misconfiguration

    • Forgotten software persists because no one owns it

A disciplined removal process reduces both noise and exposure. If a tool has no clear business value, no current owner, and no operational need, it should not remain in the environment by default.

Application allowlisting as a control point

This is where application allowlisting becomes powerful. At its core, allowlisting enforces a simple principle. Only approved code is allowed to run. Everything else is blocked by default. In practice, that shifts the defensive posture in a meaningful way:

 

    • Unknown or unauthorised binaries cannot execute, even if they exploit a vulnerability

    • Commodity malware and many AI-generated payloads fail immediately because they are not on the allowlist

    • Living off the land techniques become harder when execution paths are tightly controlled and monitored

Think of it as reducing the attacker’s room to manoeuvre. Even if they gain initial access, their ability to progress is constrained. This buys time and significantly increases the chances of detection.

Identity is now the primary battleground

If there is one area where organisations still underestimate risk, it is identity. Attackers no longer need to break in when they can log in.

AI is making credential harvesting, phishing, and session hijacking more convincing and more scalable. That makes strong identity controls a core part of getting the basics right.

Phishing-resistant multi-factor authentication should be the default, not the aspiration. Methods such as FIDO2 security keys or platform-based passkeys eliminate entire classes of attack that still succeed against SMS or push-based MFA.

Conditional access policies add another critical layer. They enforce context-based decisions such as device health, location, and risk signals before granting access. Done well, they reduce exposure without unnecessary user friction.

Session controls further limit what can happen after authentication. For example:

 

    • Requiring re-authentication for sensitive actions

    • Restricting downloads from unmanaged devices

  • Blocking high-risk changes to accounts and data

Any one of these are excellent controls to implement but together, they turn identity from a weak point into a control point.

Least privilege and blast radius control

Another area where fundamentals consistently fall short is privilege management. Excessive access remains one of the most reliable ways for attackers to move from initial compromise to meaningful impact. AI simply accelerates the discovery and exploitation of those pathways.

Reducing privilege is not just a principle. It is about limiting blast radius:

 

    • Remove standing administrative rights wherever possible

    • Use just-in-time access for elevation

    • Segment environments to prevent easy lateral movement

    • Monitor and control the use of powerful system tools

If an attacker compromises a single endpoint, the difference between limited user rights and broad administrative access is often the difference between a minor incident and a major breach.

The combination that changes the game

Individually, none of these controls are new. Together, they form a defensive model that is resilient to how attacks are evolving:

 

    • Rapid patching reduces exploitable entry points

    • Removing unused software reduces unnecessary exposure

    • Application allowlisting constrains execution

    • Strong identity controls protect access

    • Least privilege limits impact

This layered approach is particularly effective against AI-enabled threats. Speed and scale become far less useful when each stage of an attack is constrained by default. It is not about perfection. It is about stacking controls so that failure in one layer does not lead directly to compromise.

Practical realities

None of this is free, but the real cost is maturity rather than money. It takes time to understand your environment, identify what genuinely matters, and implement controls in a way that is practical, sustainable, and effective.

 

    • Allowlisting requires careful rollout

    • Conditional access needs tuning

    • Phishing-resistant MFA requires user education and sometimes hardware

    • Software removal requires ownership and discipline

    • Privilege reduction must be handled carefully to avoid disruption

These are not unknown challenges. They are predictable and solvable.

For organisations aiming to reduce risk, this is where effort should go. Not into chasing every new detection capability, but into making the environment more controlled, more deterministic, and easier to defend.

 

Final thought

AI will continue to reshape both offence and defence. That is not in question. What is in question is how organisations respond. Chasing every new AI-driven security capability without solid fundamentals is a losing strategy. It adds complexity without addressing core exposure.

In contrast, doubling down on basics such as patching discipline, software hygiene, strong identity controls, execution control, and least privilege creates a foundation that scales with the threat.

If anything, AI raises the bar for operational hygiene. It punishes inconsistency and rewards simplicity. The organisations that adapt best will not be those with the most tools. They will be the ones that make it hardest for attackers to do anything useful once they get in.

And that still comes down to getting the basics right.

 

About me

I am the Security Director at PointWire, where I focus on helping organisations of all shapes and sizes strengthen their security posture through practical, risk-aware controls.

Before joining PointWire, I was a Technical Account Manager at Tanium and previously served as a Principal Architect at AppSense, bringing deep experience across endpoint security, enterprise architecture, and operational resilience.