Not hours. Not days. It takes thirty-nine seconds from initial access to data exfiltration.
That stat, pulled from Unit 42ยฎ research, isn't hypothetical. It's what defenders are up against right now, while most organizations are still building security teams around manual detection and response workflows that were never designed to operate at machine speed.
Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, put it plainly in a recent conversation on the Threat Vector podcast, recorded live at RSA this year:
If you're applying a manual detection and response capability, you are going to be beat by the attacker every day.
It's the kind of sentence that should make security budgets move faster.
The Threat Landscape Doesn't Wait for Organizational Consensus
Whitmore has spent nearly 25 years tracking nation-state actors, and she's unequivocal about what's changed. The adversaries today aren't just better funded and more sophisticated. They're faster, and increasingly AI-powered.
Consider what's converging right now:
Chinese nation-state groups like Volt Typhoon and Salt Typhoon have been operating with near-surgical patience inside critical infrastructure, leveraging existing administrative tools to avoid detection. Volt Typhoon is focused on military prepositioning in power grids, water systems and telecommunications. Salt Typhoon has been systematically collecting intelligence from those same networks. Neither group announces itself with novel malware. They disappear into environments using the tools already there.
Meanwhile, threat actors tied to Iran are operating with entirely different objectives: tactical disruption and destruction. And financially motivated cybercriminal groups are automating ransomware campaigns at a pace that has compressed attack timelines from weeks to minutes.
Every CISO is being asked to defend against all of them simultaneously, while also managing their organization's AI expansion, and doing it without adding headcount.
Speed Is the New Perimeter
When Whitmore references the 39-second exfiltration window, she's pointing at something structural, not just alarming. It reflects how completely the attacker's operational tempo has shifted.
The 72-minute data breach figure from Unit 42 Incident Response data is equally striking: From initial access to full data theft in the time it takes to sit through a decent movie. A 400-times year-over-year increase in exfiltration speed isn't a trend. It's a fundamental change in the physics of an attack.
"There is no way that we are going to defeat these adversaries if we are working at manual speed," Whitmore explained. The answer isn't just more analysts. It's fighting AI with AI, letting machines handle the volume and velocity, so humans can focus on the problems that actually require human judgment.
Two Sides of the Same AI Problem
Here's where the conversation gets more nuanced and more important.
Most of the AI-in-security conversation focuses on the offensive side: adversaries using generative AI to craft convincing phishing lures, accelerate reconnaissance and automate attack sequences. That's real, and it's accelerating.
But Whitmore raised the other half of the problem, one that gets far less attention: The attack surface that organizations are creating by deploying AI without securing it.
Innovation of AI doesn't so far outpace the security of AI.
This is the outcome she wants to see. Right now, that's not what's happening. Business pressure to deploy AI quickly is outrunning the security architecture required to protect it. Every new AI deployment touching production data, cloud APIs and enterprise systems expands the attack surface. Shadow AI, prompt injection, model poisoning: These are not future threat vectors. They're present tense.
The distinction Whitmore draws is useful: AI for cybersecurity (faster detection, automated response, reduced analyst burden) needs to advance in parallel with cybersecurity for AI (securing the models, prompts and data pipelines that organizations are building on). One without the other creates exactly the kind of asymmetry attackers will exploit.
Visibility Is Where It Starts
Whether the conversation is about defending against nation-state actors or securing AI deployments, Whitmore keeps returning to the same foundation of visibility.
Not complexity. Not more tools. Visibility is a single, unified view of what's happening across endpoints, networks, cloud and AI systems, thatโs fast enough to matter when the window is measured in seconds, not days.
For SOC teams, that means being able to detect and contain a threat before a compromise of one system becomes an enterprise-wide event. For CISOs thinking about AI governance, it means understanding what's being deployed, what's being prompted, and where the data is going before an incident surfaces for them.
The organizations Whitmore sees succeeding aren't the ones with the largest security budgets. They're the ones with the clearest picture of their environment, and the architecture to act on it in real time.
The Win Looks Different Now
Perhaps the most important reframe in the conversation is that the objective is no longer to prevent every attack. That goal is not achievable against adversaries operating at AI speed with nation-state resources.
The win is resilience. Detecting fast and containing fast. Keeping one compromised endpoint from becoming an enterprise-wide breach.
That shift in framing, from prevention to rapid recovery, has significant implications for how security teams are built, how AI is integrated into workflows, and how CISOs make the case for investment to leadership that still thinks in terms of keeping attackers out.
The adversaries already know the perimeter is gone. The question is whether your defense strategy has caught up.
The Unit 42 2026 Global Incident Response Report goes deep on the threat trends shaping how modern attacks unfold. If you want the data behind the headlines, start here. Download the Report โ
This article is based on a conversation with Nikesh Arora on the 100th episode of the Threat Vector podcast.
David Moulton interviews Nikesh Arora on the Threat Vector podcast.
"Most technologists think about technology, not about cybersecurity," Nikesh Arora says. "Cybersecurity is kind of like insurance. Let's go make great things happen, and let's make sure on the way we purchase insurance."
Coming from the CEO of the world's largest cybersecurity company, it's the quiet part said out loud, and it explains why AI deployment is racing ahead while security scrambles to keep up.
Earlier this year, Arora spoke with a CIO entirely focused on AI deployment challenges: building viable products, training models, measuring customer impact. Security never came up once. "If you're still going through the motion, trying to understand, โCan I actually make this thing work?โ You're not worried about security," Arora notes. The logic is brutal but consistent: Why secure something that might not even function?
Why the gap between innovation and security keeps widening.
How to read inflection points before they're obvious.
What separates organizations that prepare from those that scramble.
The Gap That Keeps Growing
The disconnect isn't new. It's the same psychology that makes airport security feel like overhead โ necessary friction that slows down what should be seamless. But with AI, the gap is widening at an unprecedented pace.
Consider the infrastructure buildup happening right now. Nvidia has become a $4 trillion company selling chips that can't stay in stock. Hundreds of billions of dollars are flowing into AI-computer infrastructure. Cloud providers are buying out entire methane gas companies to power their data centers.
Yet organizations are treating AI security as something to bolt on later. That same CIO told Arora: "We worked on some stuff ourselves, and we're just jerry-rigging some things to make sure this happens securely."
Arora's response:
Jerry rig, production, and security don't work together as three terms.
Reading Signals Before They're Obvious
Arora has watched enough technology cycles to recognize the pattern. "You start seeing signs early, and then you look around, you don't see enough impact. You say, okay, maybe this is going to be just a passing shower. But you don't realize that over time this thing's getting more and more momentum."
The signs around AI are adding up:
Individual behavior has shifted.
Arora went from never talking to ChatGPT or Gemini to conducting 10-15 conversations daily. During a recent Tokyo trip, he used Gemini as his primary navigation tool, asking it to rank sumo wrestling shows for his kids rather than "trying to go read 14 websites and figure out what makes sense."
The spend is massive and accelerating.
Not just chips, entire energy infrastructures are being rebuilt to support AI compute needs.
Consumer and enterprise adoption are both surging.
From coding assistants to business analysis, use cases are expanding faster than security models can adapt.
"This thing's going to change our life fundamentally," Arora tells Moulton. "We're not seeing it at scale in our customers just yet. That doesn't mean we can sit back and wait."
Arora understands the risks involved in being late to new technology.
You have to not just anticipate where the trend is going. You have to prepare your organization and the resources to get there. Otherwise, the risk is that Silicon Valley will go fund those people who are thinking purely about the new world... and one of them's going to hit. Then you'll be two years behind with no organization, no resources deployed against it.
The Bets That Paid Off
When Arora joined Palo Alto Networks seven and a half years ago, he wrote two words on a piece of paper: cloud and AI. The company was a firewall business. Those two inflection points would require fundamental transformation, and, just as with AI now, being late was not an option.
If you don't get the network transformation right, 80% of our business will falter.
That insight drove a strategic bet on moving from point products to platform thinking, consolidating security tools rather than adding to the sprawl.
The platform approach wasn't about vendor consolidation for its own sake. It was about correlation. Unit 42ยฎ data shows that 70% of incidents now span three or more attack surfaces. When attacks move across endpoints, networks, cloud services and applications simultaneously, fragmented security creates gaps that attackers exploit ruthlessly.
Today we have coverage for 80 plus percent of the industry, which means our customers can come talk to us about a myriad of problems, and we can actually cross-correlate across all the different things we do.
With AI deployments touching every part of the technology stack, that cross-correlation becomes essential. Data flows between training environments and production systems. Models access APIs across cloud and on premises infrastructure. Applications consume AI services from multiple providers. Security that can't see and correlate across that entire landscape will miss the threats that matter most.
First Principles Over Tradition
What drives Arora's ability to spot inflection points isn't just pattern recognition, it's his refusal to accept how things have always been done.
His pet peeve: "Somebody said, well, this is how we've traditionally done it." The response reveals his approach: "You use the word traditional. I use the historical context saying, yeah, sure, they used to dig fields with picks and shovels, and now they use tractors."
This thinking drove Palo Alto Networks to reimagine SOC performance. The industry accepted four days as the normal time to detect and remediate security incidents. Arora called that unacceptable. "We need to get it to be real time."
The result was a fundamentally different architecture that analyzes data as it arrives rather than waiting for problems to appear, enabling 1-minute detection and response instead of four days.
Traditionally, SOCs would analyze the problem when the problem appeared. We said forget it. We're going to analyze everything to see if there's a problem. That architecture fundamentally transformed what we do compared to everybody else in the market.
The same first-principles approach needs to apply to AI security. Organizations can't simply extend existing security models and hope they work.
What Comes Next
With ransomware attacks now completing in as little as 25 minutes (100 times faster than just three years ago, according to Unit 42 research) reactive security simply can't keep pace. Organizations need security that thinks and responds at machine speed, built into AI deployments from day one.
"AI has become the biggest inflection point in current technology," Arora observes. Organizations are too busy deploying to worry about security. That's human nature. But it's also the moment when security teams need to stay in lockstep.
The question isn't whether to secure AI, it's whether security will be designed in or bolted on. The former takes strategic thinking now. The latter takes crisis management later.
Our job at Palo Alto and our industry is to make sure as they go build these experimental ideas into real production capability that we're staying in lockstep with them and saying, โOh, by the way, here's something that can secure what you just built in a way that is not gonna get you into trouble.โ
Listen to the full conversation between Nikesh Arora and David Moulton, senior director of thought leadership for Cortexยฎ and Unit 42, on the 100th episode of Threat Vector.
How Ripley's Fight for Survival Became My Blueprint for SOC Transformation
I'll admit it. I wasn't planning to rewatch science fiction horror films when I sat down to write about modern cybersecurity challenges. But there I was, staring at yet another draft about SOC modernization when our content team threw out a wild idea: What if we explained threat actors through the lens of a Science Fiction movie like Alien?
Yo, Hicks. I think we got something here!
Against my better judgment, I queued up the original 1979 film. Somewhere between the chest-burster scene and Ripley's desperate attempt to purge the Nostromo's systems, it hit me: This crew had every problem a modern security operations center faces daily.
Stay with me here.
The Unknown Threat Aboard Your Ship
In the original Alien, the crew of the Nostromo responds to what they think is a distress signal. Spoiler alert: It's not. By the time they realize they've brought something deadly aboard, it's already loose in the ship's ventilation system, moving freely through areas they can't monitor.
Sound familiar? That's exactly how modern breaches unfold. Threat actors don't announce themselves with flashing lights and alarm bells. They exploit a vulnerability, establish a foothold, and move laterally through your environment while remaining undetected. According toย recent Unit 42ยฎ research, the mean time to exfiltrate has dropped from nine days in 2021 to just two days in 2023. Some incidents now occur in under 30 minutes. The xenomorph's (the alienโs) rapid lifecycle has nothing on modern ransomware operators.
The Nostromo crew's problem wasn't just the alien. It was that their ship's systems couldn't tell them where the threat actually was. Their motion trackers picked up movement, but couldn't distinguish between crew members, the cat or the xenomorph. Legacy SIEM systems have the same problem, generating thousands of alerts without the context to determine which ones represent actual threats.
"I Can't Lie About Your Chances, But You Have My Sympathies"
One of the most chilling moments in Alien comes when Ash, the science officer, reveals he's actually a synthetic programmed by the company to prioritize retrieving the alien specimen over crew survival. "I can't lie to you about your chances, but... you have my sympathies."
This is what alert fatigue feels like in a modern SOC.
Like the Nostromo crew discovering their systems were working against them, security analysts often find their tools generate more noise than signal. Traditional SIEMs bombard teams with redundant alerts while real threats slip through undetected. Analysts spend their days triaging false positives instead of hunting actual threats. Basically, theyโre sorting through motion tracker pings while the xenomorph stalks the corridors.
The Company Knew (And Your Attack Surface Knows Too)
From Aliens (the 1986 sequel), we learn that the Weyland-Yutani Corporation knew about the xenomorph threat all along. They had information about LV-426, but that intelligence never reached the colonists who needed it. The result? An entire colony was lost because critical threat intelligence wasn't properly shared and acted upon.
This is the attack surface management problem in a nutshell.
You can't protect what you can't see. Like the colonial marines arriving at LV-426 with incomplete intelligence, security teams often lack comprehensive visibility across their cloud environments, hybrid infrastructures and sprawling IoT deployments.
Modern attack surface management addresses this:
Providing continuous assessment of your external attack surface.
Identifying abandoned, rogue or misconfigured assets before attackers find them.
Monitoring for vulnerable systems proactively.
Unifying visibility across network, endpoint, cloud and identity.
Think of it as having the schematics and sensor data Ripley desperately needed โ a complete picture of where threats could hide and how they might move through your environment.
The Power Loader Moment: Amplifying Human Response with Automation
In the climactic scene of Aliens, Ripley straps into a power loader exosuit to fight the alien queen. She's still human, still making the decisions, but now she's augmented with technology that amplifies her capabilities and response speed.
This is exactly what AI-driven security operations should do.
Legacy SIEM is like facing the xenomorph queen with your bare hands. Modern AI-driven platforms are the power loader, they don't replace the human operator, but they dramatically amplify what that human can accomplish.
Platforms like Cortex XSIAMยฎ can process over 1 million events per second while reducing the number of incidents requiring human investigation to single digits per day. The technology handles the heavy lifting:
Automated data integration and normalization across all security tools
Machine learning models that detect anomalies in user behavior
Intelligent alert correlation that groups related events into single incidents
Automated response workflows that contain threats in minutes, not hours
Organizations using AI-driven SOC platforms report automating up to 98% of Tier 1 operations. Your analysts still make the critical decisions, they're just equipped with vastly better tools to execute those decisions at machine speed.
The Danger of Fragmented Systems
Throughout the Alien franchise, crew members are constantly struggling with fragmented information. The motion tracker shows movement, but not identity. The door controls are on a different system than life support. Communications are spotty. When seconds count, they're wasting precious time switching between systems and trying to piece together incomplete information.
This is the daily reality in most security operations centers.
The same attack generates alerts in multiple interfaces: your SIEM, EDR console, cloud security platform, identity provider. Itโs like seeing the xenomorph's tail in one system, hearing its hiss in another, and detecting acid blood in a third, but never getting the full picture until it's too late.
The engineering challenge isn't just buying better sensors. It's creating a unified data foundation where security-relevant information is collected, stored and normalized together. When all your security data lives in a single data lake, AI models can recognize patterns that would never surface in siloed systems. Itโs like understanding that the motion tracker ping, the door malfunctioning and the broken steam pipe are all connected to the same threat.
What this unified approach enables:
Cross-data analytics that correlate threats across different data sources.
Complete context of an attack from initial entry to lateral movement.
Automated response that addresses root causes, not just symptoms.
Seamless collaboration between SOC analysts, threat hunters and incident responders.
"Nuke It From Orbit! It's the Only Way to Be Sure"
In Aliens, the solution to an overwhelming infestation is drastic: orbital bombardment. While we don't recommend that approach for cybersecurity (your compliance team will object), there's a lesson here about the importance of decisive, automated response.
When the colonial marines discover the scope of the xenomorph infestation, their problem isn't just detection, it's that their response capabilities can't match the threat's speed and scale. By the time they've cleared one corridor, the aliens have flanked them through the ceiling.
Modern threats move at similar speeds. Attackers can pivot from initial compromise to data exfiltration faster than human analysts can investigate and coordinate responses across multiple tools. This is where automation becomes essential, not as a replacement for human judgment, but as the mechanism that executes decisions at the speed threats actually move.
The key is having the right response capabilities:
Fast enough to outpace attacker movement.
Comprehensive enough to address root causes.
Automated enough to execute without human bottlenecks.
Intelligent enough to avoid collateral damage.
You don't need to nuke your network from orbit. You need response automation that contains threats before they spread.
The Survivor (And Why Human Expertise Still Matters)
Ellen Ripley survives the Alien franchise through a combination of factors: technical competence, situational awareness, decisive action and refusal to give up. But here's what's critical. She's effective not because she's superhuman, but because she's highly trained, learns from experience, and adapts her approach as threats evolve.
The same principles apply to security operations.
AI and automation dramatically improve efficiency and response times, but skilled security professionals remain essential. The goal isn't to replace analysts. It's to free them from repetitive tasks so they can focus on what humans do best: creative problem-solving, threat hunting, strategic thinking.
The cybersecurity labor shortage continues to grow, and analysts experience burnout from manual processes that consume time better spent on high-value activities. Modern platforms address this by automating routine work while augmenting human decision-making. Instead of spending hours manually correlating events and switching between consoles, analysts receive high-fidelity incidents with complete context.
Ripley didn't survive because she had the best equipment (though the power loader helped). She survived because she understood the threat, adapted her tactics, and made smart decisions under pressure. Your security team needs the same combination: World-class tools that amplify their capabilities and free them to do the strategic thinking that actually stops sophisticated threats.
What Ripley Would Do With Modern SecOps
Imagine what the Nostromo crew could have done if they had access to modern security operations technology:
Detected the alien's presence immediately through behavioral analytics instead of relying on motion trackers.
Tracked its movement through integrated sensor data across the entire ship.
Automatically sealed compartments and adjusted life support to contain the threat.
Had complete visibility into every system, eliminating hiding spots and blind spots.
Your organization shouldn't face threats with 1970s technology while attackers use 2025 capabilities. The evolution from traditional log management to AI-driven security operations isn't just about buying new tools. It's about fundamentally transforming how your security team operates, moving from reactive alert management to proactive threat hunting, from fragmented tools to unified platforms, from manual response to intelligent automation.
The xenomorph was a perfect organism: efficient, deadly, focused solely on survival and reproduction. Modern threat actors are similarly evolved, using AI and automation to attack at machine speed. Your defenses need to match that evolution.
In Space, No One Can Hear You Scream, But Your SOC Platform Can
Modern security operations require more than collecting logs and hoping someone notices the anomalies. You need unified visibility, AI-driven analytics and automated response capabilities that can keep pace with threats that move at the speed of code.
Whether you're drowning in alerts, struggling with tool sprawl, or trying to defend against attackers moving faster than human reaction times, there's a better way forward. And unlike the Nostromo crew, you don't have to face it alone with outdated equipment and fragmented systems.
Just comprehensive security, delivered at the speed of AI.
Because in cybersecurity, everyone can hear you scream when your SIEM fails. The question is whether your security operations platform can stop the threat before it gets that far.
Stop Drowning in Alerts (AKA: Your SIEM Shouldn't Feel Like a Motion Tracker): Legacy Security Information and Event Management (SIEM) systems generate thousands of alerts without the necessary context. The modern approach requires moving past redundant alerts to a system that can accurately distinguish between noise and actual threats, a necessity driven by the rapidly decreasing time attackers take to exfiltrate data.
Get the Full Ship Schematics (Because You Can't Fight What You Can't See): Many organizations lack comprehensive visibility across their environments (cloud, hybrid, IoT). A unified approach, which includes continuous attack surface management and a single data foundation, is essential to connect disparate alerts and gain a complete picture of an attack across all security tools.
Give Your Analysts a Power Loader (Not a Pink Slip): AI-driven security operations (SecOps) platforms do not replace human analysts but dramatically amplify their capabilities and response speed, enabling automated data integration, intelligent alert correlation and rapid response workflows to contain threats at "machine speed" before human bottlenecks are reached.