โŒ

Reading view

39 Seconds โ€” That's How Long It Takes to Lose Your Data

Not hours. Not days. It takes thirty-nine seconds from initial access to data exfiltration.

That stat, pulled from Unit 42ยฎ research, isn't hypothetical. It's what defenders are up against right now, while most organizations are still building security teams around manual detection and response workflows that were never designed to operate at machine speed.

Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, put it plainly in a recent conversation on the Threat Vector podcast, recorded live at RSA this year:

If you're applying a manual detection and response capability, you are going to be beat by the attacker every day.

It's the kind of sentence that should make security budgets move faster.

The Threat Landscape Doesn't Wait for Organizational Consensus

Whitmore has spent nearly 25 years tracking nation-state actors, and she's unequivocal about what's changed. The adversaries today aren't just better funded and more sophisticated. They're faster, and increasingly AI-powered.

Consider what's converging right now:

Chinese nation-state groups like Volt Typhoon and Salt Typhoon have been operating with near-surgical patience inside critical infrastructure, leveraging existing administrative tools to avoid detection. Volt Typhoon is focused on military prepositioning in power grids, water systems and telecommunications. Salt Typhoon has been systematically collecting intelligence from those same networks. Neither group announces itself with novel malware. They disappear into environments using the tools already there.

Meanwhile, threat actors tied to Iran are operating with entirely different objectives: tactical disruption and destruction. And financially motivated cybercriminal groups are automating ransomware campaigns at a pace that has compressed attack timelines from weeks to minutes.

Every CISO is being asked to defend against all of them simultaneously, while also managing their organization's AI expansion, and doing it without adding headcount.

Speed Is the New Perimeter

When Whitmore references the 39-second exfiltration window, she's pointing at something structural, not just alarming. It reflects how completely the attacker's operational tempo has shifted.

The 72-minute data breach figure from Unit 42 Incident Response data is equally striking: From initial access to full data theft in the time it takes to sit through a decent movie. A 400-times year-over-year increase in exfiltration speed isn't a trend. It's a fundamental change in the physics of an attack.

"There is no way that we are going to defeat these adversaries if we are working at manual speed," Whitmore explained. The answer isn't just more analysts. It's fighting AI with AI, letting machines handle the volume and velocity, so humans can focus on the problems that actually require human judgment.

Two Sides of the Same AI Problem

Here's where the conversation gets more nuanced and more important.

Most of the AI-in-security conversation focuses on the offensive side: adversaries using generative AI to craft convincing phishing lures, accelerate reconnaissance and automate attack sequences. That's real, and it's accelerating.

But Whitmore raised the other half of the problem, one that gets far less attention: The attack surface that organizations are creating by deploying AI without securing it.

Innovation of AI doesn't so far outpace the security of AI.

This is the outcome she wants to see. Right now, that's not what's happening. Business pressure to deploy AI quickly is outrunning the security architecture required to protect it. Every new AI deployment touching production data, cloud APIs and enterprise systems expands the attack surface. Shadow AI, prompt injection, model poisoning: These are not future threat vectors. They're present tense.

The distinction Whitmore draws is useful: AI for cybersecurity (faster detection, automated response, reduced analyst burden) needs to advance in parallel with cybersecurity for AI (securing the models, prompts and data pipelines that organizations are building on). One without the other creates exactly the kind of asymmetry attackers will exploit.

Visibility Is Where It Starts

Whether the conversation is about defending against nation-state actors or securing AI deployments, Whitmore keeps returning to the same foundation of visibility.

Not complexity. Not more tools. Visibility is a single, unified view of what's happening across endpoints, networks, cloud and AI systems, thatโ€™s fast enough to matter when the window is measured in seconds, not days.

For SOC teams, that means being able to detect and contain a threat before a compromise of one system becomes an enterprise-wide event. For CISOs thinking about AI governance, it means understanding what's being deployed, what's being prompted, and where the data is going before an incident surfaces for them.

The organizations Whitmore sees succeeding aren't the ones with the largest security budgets. They're the ones with the clearest picture of their environment, and the architecture to act on it in real time.

The Win Looks Different Now

Perhaps the most important reframe in the conversation is that the objective is no longer to prevent every attack. That goal is not achievable against adversaries operating at AI speed with nation-state resources.

The win is resilience. Detecting fast and containing fast. Keeping one compromised endpoint from becoming an enterprise-wide breach.

That shift in framing, from prevention to rapid recovery, has significant implications for how security teams are built, how AI is integrated into workflows, and how CISOs make the case for investment to leadership that still thinks in terms of keeping attackers out.

The adversaries already know the perimeter is gone. The question is whether your defense strategy has caught up.

Want to Dig in More?

Listen to the full interview here.

The Unit 42 2026 Global Incident Response Report goes deep on the threat trends shaping how modern attacks unfold. If you want the data behind the headlines, start here. Download the Report โ†’

The post 39 Seconds โ€” That's How Long It Takes to Lose Your Data appeared first on Palo Alto Networks Blog.

  •  

Security posture improvement in the AI era

Itโ€™s only been a few weeks since Anthropic announced the Claude Mythos Preview model and launched Project Glasswing with AWS and other leading organizations. This has generated a lot of discussion about the future of cybersecurity and what the ever-increasing capabilities of foundation models mean to organizations.

As AWS CISO Amy Herzog pointed out in the Project Glasswing announcement, โ€œAt AWS, we build defenses before threats emerge, from our custom silicon up through the technology stack. Security isnโ€™t a phase for us; itโ€™s continuous and embedded in everything we do.โ€

Read more from Amy about this in Building AI defenses at scale: Before the threats emerge.

While the discussion around the future of cybersecurity is important, the only thing we know for certain is that organizations need to be able to react quickly to the rapid changes AI is bringing to technology and business in general. And you canโ€™t react quickly if your security fundamentals arenโ€™t dialed in.

The security hygiene gap

Itโ€™s easy to assume you have the foundational security elements covered, or to overlook some completely. Basic security use cases like identity management, threat detection, vulnerability management, data protection, and network security can be inconsistently implemented across cloud environments. While AI is reshaping the security landscape, strong security fundamentals continue to be essential for every organization, regardless of size or industry.

These are the security basics that matter whether or not youโ€™re adopting AI: patching consistently, enforcing least-privilege access, enabling logging and monitoring, encrypting data at rest and in transit, and reviewing security configurations regularly. When these fundamentals are in place, youโ€™re better positioned to take advantage of AI-driven tools and respond to newly discovered vulnerabilities, wherever they come from.

While the concepts that drive security fundamentals are universal, implementing them in your environment is best done with an understanding of the context unique to your organization. Thatโ€™s why we have a multitude of freely available materialsโ€”like the AWS Well-Architected Frameworkโ€”that you can use to help ask the right questions and implement changes in your environment. We also offer programs like the Security Health Improvement Program (SHIP) to help you improve your security posture through prescriptive guidance and continuous improvement.

What is the Security Health Improvement Program (SHIP)?

SHIP is a no-cost program available to every AWS customer, regardless of support tier. SHIP provides a proven, data-driven methodology to:

  • Assess your current security posture using data from your AWS environment
  • Identify specific opportunities to improve across 10 core security use cases
  • Build a prioritized action plan tailored to your environment
  • Establish a mechanism for continuous security improvement

The program is led by AWS Solutions Architects and Technical Account Managers who take you through a personalized report, contextualize findings for your environment, and help you build a prioritized action plan.

Why SHIP matters in the AI era

Project Glasswing highlights an important shift: AI-powered tools are accelerating the pace of vulnerability discovery, which means organizations need to be prepared to assess and respond to findings and changing situations faster than before. In addition to external factors, as organizations adopt AIโ€”whether deploying foundation models, building agentic workflows, or using AI-powered servicesโ€”how they implement their security controls must change as well. A strong security foundation is what makes confident AI adoption possible.

Hereโ€™s how SHIP helps:

Address foundational security gaps proactively

SHIP uses a data-driven methodology to identify opportunities to improve and optimize across 10 core security use cases: threat detection, cloud security posture management, application security testing, configuration management, access governance, vulnerability management, application protection, network security, encryption, and secrets management. The program includes a SHIP assessment to identify critical security findings related to your current security posture, so your team can build a prioritized roadmap for improvement tailored to your environment.

Establish the security baseline AI workloads require

Before you deploy your first model on Amazon Bedrock or build agentic workflows with Amazon Bedrock AgentCore, you need confidence that your underlying infrastructure follows security best practices. SHIP uses actual data from your environment to provide prescriptive, specific guidance rather than generic security recommendations. This is especially relevant as AI-driven vulnerability discovery tools become more widely available: organizations with strong baselines will be able to act on new findings quickly and effectively.

Build a mechanism for continuous security improvement

As AI capabilities evolve, organizations benefit from having a repeatable process to assess and strengthen their security posture over time. SHIP establishes the methodology and mechanisms for your team to continuously assess, prioritize, and improve. By building this operational capability, youโ€™re strengthening your organizationโ€™s ability to adapt and contributing to broader industry resilience. As the cybersecurity community integrates AI into defense strategies, SHIP helps you maintain foundational best practices so you can adopt these innovations effectively and with confidence.

Getting started is straightforward

SHIP is available today, at no cost, to every AWS customer. Hereโ€™s how to get started:

  1. Talk to your AWS account team. Ask about scheduling a SHIP engagement, or request one directly on the SHIP page.
  2. Attend a SHIP Activation Day. AWS regularly hosts hands-on workshops where you can run the SHIP assessment with AWS Solutions Architects and start building your improvement plan.
  3. Explore the prescriptive guidance. Consult the AWS Well-Architected Framework โ€“ Security Lens for documentation, reference architectures, and implementation guides you can start using today.

Take the next step together

AWS is committed to being the most secure cloud, from our participation in Project Glasswing to the security embedded in every layer of our infrastructure. Security is a shared responsibility, and programs like SHIP give customers the tools, guidance, and support to strengthen their security foundations so they can build confidently, no matter what comes next.

Ready to improve your security posture? Contact your AWS account team to schedule a SHIP engagement, or visit the SHIP resources page to learn more.

Celeste Bishop

Celeste Bishop

Celeste is a Senior Security Specialist at AWS, based in Austin, Texas. Over the past five years, she has held a range of security-focused roles spanning field and product marketing, developer relations, and executive engagement. She partners closely with customers, security leaders, and field teams to help organizations operate securely in the cloud. Celeste holds a Bachelorโ€™s in Economics from the University of Texas at Austin.

  •  
โŒ