โŒ

Normal view

April 2026 CVE Landscape

15 May 2026 at 02:00

In April 2026, Insikt Groupยฎ identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.

31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)โ€™s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.

Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and server platforms, developer and application-delivery software, remote support tools, and network-edge infrastructure.

In April, Insikt Group created Nuclei templates for the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987). These Nuclei templates are available to Recorded Future customers.

Quick Reference: April 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in April 2026. This table does not include the 6 CVEs associated with honeypot activity. The table below also provides examples of public PoCs identified by Insikt Groupยฎ. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2009-0238
99
Microsoft Office Excel, Excel Viewer, Office Compatibility Pack, Office
โœ“

โœ“

(available to Recorded Future Customers)

โœ“
2
CVE-2012-1854
99
Microsoft Office, Visual Basic for Applications
โœ“
3
CVE-2020-9715
99
Adobe Acrobat, Acrobat Reader
โœ“
โœ“
4
CVE-2023-21529
99
Microsoft Exchange Server
โœ“
โœ“
5
CVE-2023-27351
99
PaperCut NG, MF
โœ“
6
CVE-2023-36424
99
Microsoft Windows Server
โœ“
7
CVE-2024-1708
99
ConnectWise ScreenConnect
โœ“
8
CVE-2024-27199
99
JetBrains TeamCity On-Premises
โœ“
9
CVE-2024-57726
99
SimpleHelp remote support software
โœ“
10
CVE-2024-57728
99
SimpleHelp remote support software
โœ“
โœ“
11
CVE-2024-7399
99
Samsung MagicINFO Server
โœ“
12
CVE-2025-2749
99
Kentico Xperience
โœ“
โœ“
13
CVE-2025-29635
99
D-Link DIR-823X
โœ“
โœ“
14
CVE-2025-32975
99
Quest KACE Systems Management Appliance
โœ“
15
CVE-2025-48700
99
Synacor Zimbra Collaboration Suite (ZCS)
โœ“
16
CVE-2025-60710
99
Windows Server Host Process for Windows Tasks
โœ“
17
CVE-2026-1340
99
Ivanti Endpoint Manager Mobile
โœ“
โœ“
18
CVE-2026-20122
99
Cisco Catalyst SD-WAN Manager
โœ“
19
CVE-2026-20128
99
Cisco Catalyst SD-WAN Manager
โœ“
20
CVE-2026-20133
99
Cisco Catalyst SD-WAN Manager
โœ“
21
CVE-2026-21643
99
Fortinet FortiClient EMS
โœ“
โœ“
22
CVE-2026-32201
99
Microsoft SharePoint Server
โœ“
23
CVE-2026-32202
99
Windows Shell
โœ“
24
CVE-2026-33825
99
Microsoft Defender
โœ“

โœ“

(available to Recorded Future Customers)

25
CVE-2026-34197
99
Apache ActiveMQ, ActiveMQ Broker
โœ“
โœ“
26
CVE-2026-34621
99
Adobe Acrobat, Acrobat Reader
โœ“
โœ“
27
CVE-2026-35616
99
Fortinet FortiClient EMS
โœ“
โœ“
28
CVE-2026-39987
99
Marimo
โœ“
โœ“
29
CVE-2026-41940
99
cPanel, WHM, WP Squared
โœ“
30
CVE-2026-3502
89
TrueConf Client
โœ“
โœ“
31
CVE-2026-5281
89
Dawn in Google Chrome
โœ“
โœ“

Table 1: List of vulnerabilities that were actively exploited in April based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: March 2026

  • In April 2026, seven of the 37 vulnerabilities in this report were linked to ransomware activity.
    • Six are explicitly tied to Storm-1175's Medusa ransomware operations.
    • CISA has also linked CVE-2026-41940 with known ransomware use (Sorry Ransomware, per open source reporting).
    • Additionally, threat actors exploited CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium botnet.
  • Sixteen of the 37 vulnerabilities enabled remote code execution (RCE), affecting products from twelve vendors: Adobe, Apache, D-Link, Fortinet, Google, Ivanti, Kentico, Marimo, Microsoft, SimpleHelp, TrueConf, and Wazuh.
  • Insikt Groupยฎ identified public proof-of-concept (PoC) exploits for 24 of the 37 vulnerabilities in this report.
  • The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-94 (Code Injection), CWE-20 (Improper Input Validation), and CWE-306 (Missing Authentication for Critical Function).
  • Three of the 37 vulnerabilities are at least five years old, with the oldest approximately seventeen years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerabilityโ€™s public disclosure to exploitation was two days.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns, that have public PoC exploits available, or for which Insikt Groupยฎ has created Nuclei templates to detect the vulnerability. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit TBK DVR Vulnerability (CVE-2024-3721) to Deliver Nexcorium

On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, formerly known as Twitter), associated with Fortinet (@Fortinet), published a technical analysis detailing a campaign that exploits TBK Digital Video Recorder (DVR) devices to deliver Nexcorium, a Mirai-based botnet. A TBK DVR device is a surveillance system recorder that captures, stores, and allows playback or remote viewing of video from connected security cameras. According to FortiGuard Labs, Nexcorium targets TBK DVR-4104 and DVR-4216 systems by exploiting CVE-2024-3721, an operating system (OS) command injection vulnerability that allows remote threat actors to execute arbitrary system commands.

Based on FortiGuard Labsโ€™ analysis, the campaign begins with the exploitation of CVE-2024-3721 through crafted requests that manipulate the mdb and mdc arguments in TBK DVR devices, which delivers a downloader script named dvr. The exploit includes the HTTP header X-Hacked-By with the value Nexus Team - Exploited By Erratic. The dvr script retrieves Nexcorium binaries with filenames beginning with nexuscorp for architectures such as ARM, MIPS R3000, and x86-64. The dvr script then sets the Nexcorium binariesโ€™ permissions to 777, and executes them with an argument that identifies the compromised system.

Further technical details associated with this activity, including sample analysis and IoCs, are available to Recorded Future customers via Insikt Group reporting.

Recorded Future customers can also access Malware Intelligence queries, which surface samples that connect to known network indicators.

Figure 1: Vulnerability Intelligence Cardยฎ for CVE-2024-3721 in Recorded Future
Figure 1: Vulnerability Intelligence Cardยฎ for CVE-2024-3721 in Recorded Future (Source: Recorded Future)

NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals

14 May 2026 at 02:00

As of April 15, 2026, NIST enriches only CVEs that appear in the CISA Known Exploited Vulnerabilities catalog, federal government software, or software designated critical under Executive Order 14028. Everything else carries a "Lowest Priority" status: no CVSS score, no affected product mappings, no weakness classification. NIST enriched roughly 42,000 CVEs in 2025, and submissions in early 2026 are running about a third higher year-over-year. Industry estimates suggest the prioritized categories will cover only 15โ€“20% of anticipated CVE volume going forward.

For teams whose vulnerability management workflows depend on CVSS scores from NVD, this could create an operational gap. The CVEs in the unenriched backlog can signify real vulnerabilities affecting real software. They don't necessarily stop mattering because NIST didn't get to them.

Recorded Future does not believe that the solution is to source CVSS scores faster. Instead, Recorded Future endeavors to provide the signals that actually reflect attacker behavior. CVSS was designed to characterize the technical properties of a vulnerability โ€” attack vector, complexity, required privileges, potential impact. CVSS was not designed with patch prioritization as a prime concern. This distinction has always existed; the growing gap in NVD enrichment increases the importance of the right intelligence and insights that can capture attacker behavior in real time.

Where vulnerability risk actually originates

Exploit code surfaces on GitHub. Proof-of-concept development gets discussed in offensive security forums and underground communities. Ransomware operators evaluate which vulnerabilities fit their deployment pipelines. Threat actors incorporate specific CVEs into their toolkits and begin scanning in search of exploitable targets.

At some point during or after that sequence, a CVE gets assigned and, under the previous policy, would eventually be enriched by NVD. By the time a practitioner sees a CVSS score in their scanner, the risk may already have materialized.

The delay between attacker use and the assignment of a CVE and CVSS score is not a new dynamic. For this reason, Recorded Future's vulnerability Risk Scores were never built to depend on NVD enrichment.

The intelligence that determines whether a vulnerability is dangerous originates in the technical communities, underground markets, exploit repositories, and malware ecosystems where attackers work. It does not come from institutional databases processing CVEs up to weeks or months post-assignment. NVD's policy change doesn't create a gap in Recorded Future's coverage because NVD is not the primary signal behind Recorded Future Vulnerability Intelligence.

What the model actually weighs

Recorded Future's risk scoring maps directly to the vulnerability weaponization lifecycle. Many of the signals fire based on where a CVE sits on that path, not on what NIST has or hasn't scored.

Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Futureโ€™s Vulnerability Intelligence dashboard
Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Futureโ€™s Vulnerability Intelligence dashboard (Source: Recorded Future).

The signals that carry the most weight are those tied to active exploitation in the wild โ€” malware samples observed by Recorded Future's collection infrastructure, ransomware operations validated by Insikt Groupยฎ analysts, and other direct evidence of attacker use. Confirmed exploitation activity carries the most weight in the model, regardless of a CVE's CVSS score. These are the signals that answer the question practitioners actually need answered: is someone using this right now?

Below active exploitation, the model tracks proof-of-concept availability, including the distinction between a verified and unverified PoC. Verified exploit code that demonstrates remote execution is a materially different signal from an unverified proof of concept of unknown reliability. As an example, exploit code on GitHub is not theoretical risk; it usually compresses the time between disclosure and weaponization. Recorded Future Risk Scores treat it accordingly.

In addition to these collection and analytic capabilities, Recorded Future tracks web reporting about a CVE before NVD has published enrichment data. For the majority of new CVEs going forward, this pre-NVD signal may be the earliest structured intelligence available anywhere. A CVE that NIST has marked Lowest Priority can still accumulate signals across many dimensions. As a result, the absence of a CVSS score in NVD doesn't create a blind spot in Recorded Future's assessment.

CVSS still matters. It just isn't the foundation.

CVSS scores flow into the model from multiple sources. Many CVE numbering authorities (CNAs) supply CVSS scores at the point of submission, and CVSS coverage across published CVEs remained above 90% in 2025 even as NVD's independent enrichment narrowed. That doesn't mean CNA-supplied scores are interchangeable with NVD's. Academic analyses of dual-scored CVEs have documented divergence rates above 50% throughout the past decade, reaching 70% in 2023, with disagreements sometimes large enough to move a vulnerability across severity tiers. For CVEs where neither NVD nor a CNA has provided scoring, Recorded Future independently assigns scores through its own analysis. CVSS occupies one position in the model, alongside signals grounded in observable attacker behavior, and those signals operate independently of whether a CVSS score exists at all.

What to do with this

Audit where your prioritization signals come from. If your program is relying entirely or primarily on CVSS scores pulled from NVD, you may have exposure, not just from the existing backlog, but from every new CVE entering the ecosystem under the new policy.

Recorded Future Vulnerability Intelligence, as a part of the Cyber Operations solution, scores every CVE against the full signal set โ€” exploitation activity, malware and ransomware associations, proof-of-concept availability, threat actor targeting, and analyst-validated intelligence. All independent of NVD's enrichment pipeline. See this prioritization and automation in action with this click-through tour.

See how Vulnerability Intelligence integrates with your existing vulnerability management workflow โ€” request a demo.

Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense

14 May 2026 at 02:00

Executive Summary

Artificial intelligence is often discussed as a tool for automating and accelerating existing cybersecurity workflows. While that framing is accurate, it is incomplete. The most consequential shift occurs when AI is combined with threat intelligence โ€” both intelligence about attacker capabilities and TTPs, and intelligence about our own defensive weaknesses and exposure. This combination produces qualitatively new defensive capabilities that may, for the first time, begin to structurally narrow the long-standing asymmetry between attackers and defenders.

This memo examines what is genuinely new about AI-enabled defense, with particular emphasis on how the fusion of threat intelligence and AI reasoning changes the strategic calculus. It also argues that in the end, it is a question of who can most efficiently use scarce resources (compute and energy) to get the upper hand. Intelligence guides defenders in how to best use these resources to defend, thereby changing the balance of power against adversaries.

The Traditional Defenderโ€™s Dilemma

The core asymmetry in cybersecurity is well understood: defenders must protect every possible attack surface, while attackers only need to find one exploitable weakness. Defenders operate under constraints โ€” budgets, compliance mandates, uptime requirements โ€” while attackers can be patient, selective, and asymmetric.

Traditionally, threat intelligence has been consumed by defenders as a feed: indicators of compromise, malware signatures, and published advisories. This intelligence was valuable but largely reactive and disconnected from the defenderโ€™s own environment. Knowing that a threat group uses a particular technique is only useful if you can rapidly assess whether that technique works against your infrastructure. That assessment has historically required scarce human expertise, time, and tooling โ€” precisely the resources defenders lack.

The Automation Layer: Real But Evolutionary

A significant portion of AIโ€™s current impact on defense is best described as automation of existing processes: faster alert triage, automated enrichment, accelerated patch prioritisation, and AI-assisted Tier 1 SOC analysis. These improvements are valuable โ€” they compress response times, reduce analyst fatigue, and address chronic staffing shortages โ€” but they are conceptually extensions of workflows that already existed.

Similarly, AI can automate the ingestion and normalisation of threat intelligence feeds, reducing the manual work of parsing reports and extracting indicators. This is useful, but it does not change what defenders can fundamentally do with that intelligence. The real transformation lies elsewhere.

The Convergence: Where Threat Intelligence Meets AI Reasoning

The most significant shift is not AI applied to defense in isolation, nor threat intelligence consumed as a feed. It is the convergence of the two: AI systems that can reason simultaneously over what attackers are doing and what defenders are exposed to, in real time, at scale. This convergence produces capabilities that did not previously exist.

1. Connecting Attacker TTPs to Your Actual Exposure

Traditionally, a threat intelligence report might tell you that a particular adversary group is exploiting a vulnerability in a specific product, or is targeting your sector using a known technique chain. Acting on that information used to require an analyst to manually map those TTPs against your environment: do we run that product? Is the vulnerable version deployed? Are the relevant network paths open? Are our detection rules adequate for that technique?

AI can perform this mapping continuously and at scale. When a new threat report lands, an AI system can immediately cross-reference the described TTPs against a live model of your infrastructure, your patching state, your detection coverage, and your segmentation โ€” and surface a prioritised assessment of actual risk, not theoretical risk. This transforms threat intelligence from awareness into actionable, environment-specific defense guidance.

2. Fusing Offensive Intelligence With Defensive Weakness Data

Defenders have long maintained two separate bodies of knowledge: external threat intelligence (what adversaries are capable of and likely to do) and internal vulnerability and exposure data (what weaknesses exist in our own environment). These have typically lived in different systems, managed by different teams, and reconciled manually and infrequently.

AI enables continuous fusion of these two streams. A model can hold both the attackerโ€™s perspective โ€” known TTPs, targeting patterns, tooling, and objectives โ€” and the defenderโ€™s perspective โ€” unpatched systems, misconfigured controls, overprivileged accounts, and detection gaps โ€” and reason about the intersection. The result is not a vulnerability list or a threat report, but an integrated picture of where the attackerโ€™s capabilities meet our specific weaknesses. This is the analysis that the best red teams produce during an engagement, except it can now run continuously rather than quarterly.

3. Predictive Prioritisation Based on Adversary Behaviour

Patch prioritisation has traditionally been driven by CVSS scores โ€” a measure of theoretical severity that ignores both attacker intent and environmental context. AI models trained on threat intelligence can reorder priorities based on which vulnerabilities are actually being exploited in the wild, by which adversary groups, against which sectors, using which delivery mechanisms. Combined with internal exposure data, this enables prioritisation that better reflects real-world risk rather than abstract severity.

The same logic applies to detection engineering. Rather than building detections for every possible technique, AI can identify the techniques most likely to be used against your specific environment โ€” based on who is targeting your sector, what tools they use, and where your coverage gaps are โ€” and focus engineering effort where it matters most. In fact, in most cases AI will be able to build those detectors for you!

4. Reasoning Over Context at Scale

Traditional detection systems correlate events against rules. AI models can reason about events holistically, synthesising partial logs, ambiguous telemetry, and unusual configuration changes into a judgment that approximates what a senior analyst would conclude. Crucially, this reasoning can be informed by threat intelligence: not just โ€œis this anomalous?โ€ but โ€œis this consistent with the tradecraft of groups known to target us?โ€ That contextual layer makes detection both more accurate and more relevant.

5. Continuous Attack-Path Modelling

Historically, understanding oneโ€™s own exposure was a periodic exercise: run a penetration test, receive a report, remediate, repeat. AI enables a living model of the environment that continuously re-evaluates exploitable paths to critical assets as conditions change. When this model is enriched with threat intelligence โ€” particularly information about which attack paths adversaries actually favour, and which tools they use to traverse them โ€” the result is a dynamic, threat-informed view of exposure that stays up to date automatically, not only when your manual pen testers or red team have time to update it.

6. Adversarial Prediction During Active Incidents

During an active incident, experienced responders draw on their knowledge of attacker behaviour to anticipate likely next moves. AI models trained on threat intelligence and historical incident data can encode this reasoning and make it available to any response team. If the model recognises that the observed initial access technique and lateral movement pattern are consistent with a known adversary group, it can predict likely next steps โ€” which credentials they will target, which persistence mechanisms they prefer, which data they are likely to exfiltrate โ€” and help defenders get ahead of the intrusion rather than simply reacting to each new indicator.

Turning the Tables: AI-Enabled Deception

The capabilities described above are fundamentally defensive: detecting, predicting, and prioritising. But the convergence of AI and threat intelligence also opens a qualitatively different category of action โ€” using intelligence about the attacker to actively mislead them.

From Static Honeypots to Adaptive Deception

Deception technologies such as honeypots and honeytokens have existed for decades, but they have always been constrained by how static and labour-intensive they are to deploy convincingly. A skilled attacker can often identify a honeypot by its lack of realistic activity, stale data, or inconsistencies with the surrounding environment. AI removes these constraints. AI-generated deception environments can include realistic-looking decoy infrastructure โ€” fake services, plausible file shares, synthetic credentials, even simulated user activity patterns โ€” that adapts dynamically in response to attacker behaviour. Rather than a static trap that a competent adversary recognises and avoids, the defender can maintain a deception layer that evolves to stay convincing.

Intelligence-Informed Decoy Placement

This capability ties directly into the threat intelligence fusion described above. If you know which TTPs a likely adversary uses, which attack paths they favour, and where your real weaknesses are, AI can place decoys precisely along the routes those adversaries are most likely to take. The deception is no longer generic; it is tailored to the specific threat. A decoy credential can mimic the type of service account the adversaryโ€™s tooling is known to target. A fake file share can contain documents plausible enough to absorb attacker time and attention, and simultaneously provide new intelligence about the adversary. The threat intelligence that informs your defensive posture simultaneously informs your deception strategy. This is โ€œMachine Counter Intelligenceโ€!

Imposing Costs and Eroding Attacker Confidence

AI-generated deception at scale inverts a piece of the traditional asymmetry. Attackers who encounter a pervasive deception layer must spend significant time and effort distinguishing real assets from fake ones. Every interaction with a decoy wastes their resources, degrades their confidence in the intelligence they have gathered, and increases the risk that they will trigger an alert. In effect, the attacker now faces a version of the defenderโ€™s dilemma: they must verify everything, while the defender only needs one decoy to succeed.

Active Intelligence Collection Through Engagement

Perhaps most significantly, AI can interact with attackers inside deception environments in ways that feel plausible, drawing out more of their tooling, techniques, and objectives. This turns deception from a passive tripwire into an active intelligence-gathering operation. The tradecraft revealed through these engagements feeds back into the threat intelligence cycle, improving the defenderโ€™s understanding of the adversary and refining future defensive and deceptive measures. The result is a virtuous loop: intelligence informs deception, deception generates new intelligence.

There is an inherent tension in active deception engagement: traditional incident response doctrine prioritises minimising dwell time, while deception-based intelligence collection deliberately extends it. The risks are real โ€” containment failure if the deception boundary isn't airtight, resource cost of sustained monitoring, potential legal and regulatory questions about why an attacker was permitted to remain active, and the possibility that a sophisticated adversary recognises the deception and feeds false signals back to poison your intelligence. These risks do not invalidate the approach, but they define the conditions under which it works. Active engagement requires genuinely isolated deception infrastructure, and clear decision frameworks for when to engage.

Democratising Access to Intelligence-Driven Defense

A less obvious but structurally significant change is that AI lowers the barrier to performing intelligence-driven defense. When an analyst can query in plain language โ€” โ€œwhich of our externally-facing systems are vulnerable to techniques used by a certain threat group in the last 90 days?โ€ โ€” and receive an accurate, contextualised answer, the skill requirement for effective threat-informed defense drops substantially. This is not doing an old thing faster; it is enabling a different operating model in which threat intelligence becomes a working tool for the entire security team, not just the analysts who specialise in it.

Strategic Implications

The most profound implication is that defenders have historically been reactive because they lacked the cognitive bandwidth to continuously fuse offensive intelligence with their own exposure data. AI makes this fusion not only possible but economically viable for organisations that could never previously afford dedicated threat intelligence teams, red teams, and continuous assessment programmes.

This changes the nature of the defenderโ€™s dilemma. The traditional framing โ€” โ€œdefenders must protect everything; attackers only need one way inโ€ โ€” assumed that defenders could not know, in real time, which parts of their attack surface are most likely to be targeted. AI-enabled threat intelligence fusion challenges that assumption. If defenders can continuously identify the most probable attack paths based on current adversary behaviour and their own specific weaknesses, they can concentrate resources where they matter most. The dilemma does not disappear, but the defender is no longer operating blindly, but can take control.

The key asymmetry is therefore shifting from โ€œattacker versus defenderโ€ to โ€œAI-augmented versus non-augmented.โ€ Organisations that integrate AI with robust threat intelligence programmes may find themselves closer to parity with attackers than at any point in the history of the field. Those that do not will face an even steeper version of the traditional dilemma, as AI-empowered adversaries exploit the widening gap.

Final Words

The emergence of fully autonomous AI agents on both sides raises unresolved questions. If attackers deploy autonomous offensive agents that can chain exploits and adapt to defenses without human guidance, defenders will need equally autonomous systems โ€” systems that consume threat intelligence, assess exposure, and act on the results without waiting for human approval. The governance, trust, and control challenges this creates are substantial, but the journey towards this goal must begin now.

There is also a risk that the intelligence-AI feedback loop becomes adversarial in new ways. Sophisticated attackers who understand that defenders are using AI to map TTPs against exposure may deliberately vary their tradecraft to evade predictive models, or generate false signals to misdirect AI-driven defense. The quality and provenance of threat intelligence will become even more critical as AI amplifies both its value and the consequences of acting on flawed data โ€” we need automation-grade intelligence!

We have not changed the basic equation: defenders must still know and mitigate every weakness, while the attacker needs only one. AI does not abolish that asymmetry, and claiming otherwise would be dishonest. What AI fused with threat intelligence does is change the terms of the contest. Instead of defending blind โ€” treating every weakness as equally likely to be exploited โ€” defenders can now continuously map attacker capabilities against their own specific exposure, concentrate resources on the paths adversaries actually use, and impose real friction through deception that degrades the attacker's speed advantage. The attacker still only needs one weakness, but they are now searching for it in an environment that fights back: one that predicts where they will look, places convincing traps along those paths, and learns from every encounter.

The defender may never achieve dominance, but the era of structural helplessness โ€” of knowing that the asymmetry is permanent and unmanageable โ€” is ending for organisations willing to invest in these capabilities. Parity in an adversarial contest is not a consolation prize; it is the condition under which skill, preparation, and operational discipline start to matter more than structural advantage.

Diagram showing how AI-powered Deception Networks flip the defender's dilemma in cyber defense

โŒ