5 ways to fortify your network against AI-powered attacks

Enterprise networks are under siege, and the attackers are no longer just human. They’re deploying AI-powered tools that operate at machine speed, forcing defenders to rethink every layer of security. Yet, despite the rise of automation on both sides, human error remains the most exploited vulnerability. That’s the central finding from Mandiant’s latest enterprise security survey, which draws on years of frontline breach investigations to map the evolving threat landscape.

The battlefield is shifting. Modern networks are sprawling, interconnected ecosystems that rely heavily on software-as-a-service (SaaS) partnerships. Cybercriminals have mirrored this structure, adopting a division-of-labor model where one group handles low-risk initial access,via malicious ads or fake browser updates,and then passes the compromised system to a second team for deeper penetration. The speed of these handoffs is staggering. In 2022, the average time to transfer access was over eight hours. By 2025, thanks to automation, that window has collapsed to just 22 seconds.

Zero-day exploits are also accelerating. The mean time to exploit a vulnerability now stands at seven days,often before vendors can release a patch. This relentless pace demands a fundamental shift in how organizations defend themselves.

Mandiant categorizes the majority of hands-on-keyboard attackers into two distinct groups. Cybercriminals prioritize financial gain, using ransomware to lock systems and demand payment. They optimize for immediate impact and deliberate recovery denial. On the other end, cyber espionage groups and insider threats focus on extreme persistence, leveraging unmonitored edge devices and native network functions to evade detection. The average dwell time,from intrusion to discovery,is 14 days, but espionage incidents can linger for a median of 122 days.

The high-tech sector (17% of intrusions) and financial sector (14.6%) are the most targeted among more than 16 industry verticals tracked. Nearly one-third of all detected breaches begin with exploits, while the second most common vector is voice-based social engineering targeting IT help desks to bypass multi-factor authentication (MFA) and gain access to SaaS environments.

Artificial intelligence is increasingly used for reconnaissance, social engineering, and malware development. Mandiant observed attackers weaponizing AI tools like the QUIETVAULT credential stealer, which scans compromised machines for AI command-line tools to extract configuration files and steal GitHub and NPM tokens. Still, AI is not yet the primary cause of breaches. “Despite these rapid technological advancements, we do not consider 2025 to be the year where breaches were the direct result of AI,” the report states. “The vast majority of successful intrusions still stem from fundamental human and systemic failures.”

Ransomware tactics have also evolved. Attackers are no longer just encrypting data,they are destroying the ability to recover by deleting backup objects from cloud storage and targeting hypervisor datastores to render all virtual machines inoperable simultaneously. This “move fast and break things” approach forces victims into a corner with no safety net.

On the positive side, defenders are improving. In 2025, 52% of organizations detected intrusions internally, up from 43% in 2024. Faster detection means faster recovery. To stay ahead, Mandiant recommends advanced employee and help desk training to recognize modern attack vectors, including voice-based social engineering and unauthorized MFA reset requests.

Five structural network changes can further fortify defenses:

• Treat virtualization and management platforms as Tier-0 assets with the strictest access controls.Mandiant’s researchers conclude that identity is the new perimeter. Simply rotating passwords and enforcing MFA is no longer sufficient. The focus must shift to hardening identity controls and adopting continuous identity verification, especially for third-party vendors. In a world where machines battle machines, the human element still matters most,but it must be supported by a network designed to resist, detect, and recover at machine speed.