Remaining agile in the face of evolving threat

As adversaries evolve their techniques, security leaders must rise to the challenge of keeping pace in their defensive practices. Not only do they have to address new vulnerabilities and block known threats, but they must do so in an environment where attacks could unfold in minutes or hours. It is more difficult than ever to identify the line between normal activity and malicious behaviour.

 

National Cybersecurity Awareness Month is an ideal moment to step back and confront this reality. Awareness is no longer just reminding employees that security is everyone’s responsibility and offering tips on how to avoid phishing emails; it’s about acknowledging how quickly threats are changing and ensuring the workforce is ready to keep up. Security leaders should strive to identify how to optimise their programs, striking a balance between centralised controls and user education.

 

Adversaries are moving faster

The speed and sophistication of modern threats are rewriting the rules of defence. Adversaries can move through intrusion chains faster than ever, cutting the window for risk mitigation to hours – or even minutes.

 

The traditional model of identifying, analysing, and then responding to threats is a challenge to scale up. Research found that the median global dwell time has risen to 11 days. While only a slight increase, it’s the first time this statistic has not improved in years, highlighting that adversaries are holding the line or improving their entrenchment in the environments they compromise. The result is that adversaries are adapting to the defence’s detection methods, allowing them a longer time of “free rein” in a compromised environment

 

The rise of ClickFix, a heavily used paste-and-run technique, is a prime example of how quickly threats can emerge and evolve. In less than a year, this technique has gone from relatively unknown to mainstream. Threats like Scarlet Goldfinch have already switched from older fake browser update lures to ClickFix, proving how quickly adversaries pivot once a technique is proven to be effective.

 

AI-supported threats on the rise

Large language models (LLMs) as well as other generative AI technologies open opportunities for further adversary evolution. While GenAI hasn’t yet created a new class of attacks, it has made many existing ones cheaper, faster, and more effective. Phishing lures no longer carry the obvious red flags of spelling mistakes or awkward phrasing.

 

Instead, adversaries might use AI tools to generate messages and graphics that are practically indistinguishable from the genuine communications they impersonate. Malware developers may be able to debug their code faster with the same tools legitimate developers use to optimise their release cycles. Reconnaissance can be automated into a more streamlined, background task that requires little human intervention or attention to complete. Recent research has even uncovered early examples of LLMs being embedded directly into malicious code to make it more adaptive and capable of responding to prompts autonomously.

 

This marks a turning point as AI is no longer solely a tool for speed. Instead, some attackers are making AI a part of the attack itself, forcing defenders to rethink how they use intelligence and automation on their own side of the equation. The message is clear: adversaries are not just innovating – they are industrialising for both speed and scale. Threats that once unfolded over weeks now play out in hours, allowing them to conduct more attacks in general over the same amount of time. Further, the tools to continue this acceleration are more accessible than ever.

 

Identity and cloud raise the stakes

Gartner predicts that global spending on public cloud services will exceed US$723 billion by the end of this year. Since many of these cloud services rely on centralised identity management, this trend cements identity attacks as a key domain for adversaries. Once they compromise an identity, adversaries can often bypass traditional security and privacy controls entirely, as they’re impersonating a trusted user. This may permit them to move through multiple cloud applications and infrastructure providers without triggering alarms.

 

For security teams, the challenge isn’t always about spotting malicious activity – it’s distinguishing it from normal business operations or simple human error. A login from an unusual IP address could be an employee connecting through a VPN on a personally-owned device, or it could be the result of an adversary that has compromised that user’s identity, logging in from the adversary’s own infrastructure.

 

The ambiguity between adversary activity and legitimate employee behaviour is what makes these risks so challenging and widespread. Red Canary recorded an almost 500% surge in detections tied to cloud account logins in the first six months of 2025 compared to all of the previous year. Some of these detections were adversaries cloaking their activity behind VPNs, while others were employees mistakenly committing policy violations.

 

Regardless of the root cause, both have a significant impact, increasing both exposure and risk. At scale, defenders can’t afford to wait to see which of these events turn out to be real threats. By the time the nature of such a detection can be fully determined, the damage is often done.

 

Turning awareness into action

For all of these reasons, National Cybersecurity Awareness Month matters. It isn’t just a chance to push out new training modules to educate the user base, though this is still an important part of every security program. Cybersecurity Awareness Month can be used as an inflection point to recalibrate security in general. Traditional defences are approaching their limits. Despite rising budgets, 87% of organisations suffered incidents in 2024 that they couldn’t detect or neutralise. In the face of tool sprawl, alert fatigue, and stretched SOC teams, increased spend does not universally translate to greater protection.

 

Organisations must therefore transition towards intelligence-led operations. By automating threat detection, security teams can strip out noise, cut through ambiguity, and access the context they need to act quickly. Thoughtfully implemented and continuously validated AI-driven threat analysis processes can highlight the most relevant signals so human experts can focus their investigations on the most pressing threats.

 

This shift is not about replacing human expertise – it’s about augmenting their capabilities. It’s about ensuring analysts focus on the most critical alerts that could make or break the business and can resolve them before any damage is done.

 

Preparing for perpetual change

National Cybersecurity Awareness Month can be used as a catalyst for change. It’s the moment to stress-test incident response plans and revalidate previous assumptions about an organisation’s risk appetite. While it’s not a new phrase, it’s fair to say that in cyber-security circles, change is the only constant. Adversaries will continue to evolve, identities will remain prime targets, and cloud adoption will continue to expand the attack surface.

 

Defenders must evolve in turn, staying as far ahead of adversaries as possible, rather than relying on static tools or rules to keep their organisations safe. Defenders must develop and implement Incident Response and Readiness plans that are resilient by design and agile enough for practitioners to adapt while actively facing human adversaries.

 

The organisations that will succeed are those that go beyond simply acknowledging change, but can instead incorporate the necessary flexibility to make deliberate choices about risk, and act decisively as future evolutions in security emerge.

 

---

 

Keith McCammon is CSO at Red Canary

 

Main image courtesy of iStockPhoto.com and gerenme