MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversarial tactics and techniques targeting ML systems, analogous to the ATT&CK framework for traditional enterprise security. It documents real-world attack patterns including model evasion, data poisoning, model theft, and adversarial prompt attacks.

AI-Driven Cyber Offense & Defense 2026

Q: Can AI generate undetectable malware?

Yes. LLM-assisted tools can produce polymorphic malware variants that change structure on each execution, evading signature-based detection. Research at Black Hat 2024 demonstrated AI-generated shellcode passing multiple commercial SAST/AV tools. Behaviour-based EDR running in kernel space remains the primary effective countermeasure.

Q: What is adversarial machine learning?

Adversarial ML involves crafting inputs specifically designed to fool AI/ML systems. In cybersecurity, attackers perturb malware samples to avoid AI classifiers (evasion attacks), or inject poisoned data into training pipelines to corrupt model behaviour (poisoning attacks). Defences include adversarial training, model ensembling, and anomaly detection on model inputs.

Q: How is AI used in spear phishing?

AI analyses targets' social media, LinkedIn, conference talks, and public emails to generate hyper-personalised phishing content indistinguishable from legitimate communications. Commercial tools like WormGPT and FraudGPT enable non-technical attackers to generate BEC content at scale. AI-generated voice cloning is used for vishing attacks targeting MFA and wire transfers.

Q: What is an adversarial example in AI security?

An adversarial example is an input crafted with subtle perturbations — often imperceptible to humans — that causes an AI model to misclassify. In image-based malware detection, pixels are adjusted to shift classification from "malicious" to "benign." In NLP, paraphrasing or synonym substitution evades text-based classifiers while preserving meaning.

Q: How does AI improve threat hunting?

AI-powered threat hunting uses unsupervised ML to establish behavioural baselines for users, endpoints, and network flows, then flags statistically anomalous deviations. Graph neural networks model entity relationships to detect lateral movement chains. LLM-powered interfaces allow analysts to query threat data in natural language, accelerating hypothesis investigation from hours to minutes.

Q: What is AI model poisoning?

Model poisoning attacks corrupt an AI security model by injecting malicious training data during the model training phase. If attackers can influence training data — through compromised threat intelligence feeds, poisoned malware sample repositories, or supply chain attacks on ML pipelines — they can create backdoors where specific inputs cause misclassification at inference time.

Q: Are deepfakes a serious enterprise threat?

Yes. AI-generated audio and video deepfakes are actively used in social engineering. In 2024, a Hong Kong company lost HK$200 million ($25M USD) when attackers used video deepfakes to impersonate a CFO in a live video call, authorising fraudulent transfers. Voice deepfakes targeting MFA bypass and wire transfer approval represent immediate operational risk.

Q: What is the OWASP LLM Top 10?

The OWASP LLM Top 10 documents the most critical security risks in LLM applications: Prompt Injection (#1), Insecure Output Handling, Training Data Poisoning, Model Denial of Service, Supply Chain Vulnerabilities, Sensitive Information Disclosure, Insecure Plugin Design, Excessive Agency, Overreliance, and Model Theft. It provides a framework for securing any application built on LLMs.

Q: How should organisations defend against AI-driven attacks?

Layer defence: deploy AI-powered email security with LLM-trained phishing detection; implement FIDO2 hardware MFA to neutralise phishing even when content is convincing; use behavioural biometrics and continuous authentication to detect account takeover; maintain AI model integrity through provenance verification and anomaly monitoring; and red-team AI security tools regularly with adversarial samples.

AI Is Now the Decisive Variable in Cybersecurity

The 2024–2026 window marks the inflection point at which artificial intelligence became the dominant variable in cybersecurity outcomes. The evidence is no longer theoretical. A 2024 Wharton study found AI-generated spear phishing emails outperformed human-crafted ones by 40% on click-through rate. A Hong Kong company lost $25 million USD to a deepfake CFO video call authorising fraudulent wire transfers. AI-powered credential stuffing tools can test millions of username/password combinations per hour against any public login page.

On the defensive side, the picture is equally transformed. AI-powered anomaly detection surfaces compromises that evade every rule-based SIEM ever written. Graph neural networks detect lateral movement patterns that are invisible in individual event logs. LLM-powered security analysts can investigate alerts in natural language, compressing threat hunting timelines from eight hours to twenty minutes.

The organisations that understand both sides of this equation — and invest asymmetrically in AI-powered defence — will define security outcomes for the next decade.

The AI Security Asymmetry

Offensive AI is immediately democratised: LLM-powered attack tools are available on dark web markets for $50–200/month. Defensive AI requires significant infrastructure investment and operational expertise. This creates a capability asymmetry that every organisation must address through deliberate investment in AI security tooling — the asymmetry cannot be overcome by human effort alone.

AI-Powered Offensive Capabilities

LLM-Powered Spear Phishing at Industrial Scale

Traditional spear phishing required hours of manual research per target. AI-augmented campaigns use LLMs to ingest a target's LinkedIn profile, conference presentations, published papers, social media activity, and public email signatures, generating personalised, contextually accurate phishing content indistinguishable from legitimate communication — in seconds, for thousands of targets simultaneously.

WormGPT, FraudGPT, and their derivatives are actively sold in cybercriminal markets. These jailbroken LLM variants generate Business Email Compromise (BEC) content, malware code, social engineering scripts, and fake invoice templates without commercial safety guardrails. The barrier to sophisticated social engineering has been reduced to a subscription fee.

Real Attack Scenario: LLM-Powered BEC

Attack: Threat actor purchases WormGPT access. Inputs: target CFO's LinkedIn, company press releases, recent earnings call transcript. LLM generates 2000 contextually appropriate BEC emails impersonating the CEO, referencing real company projects and correct financial figures. 380 employees click. 12 authorise fraudulent transfers.
Total time to generate campaign: 45 minutes. Total human effort: near zero. Prevention: FIDO2 MFA + AI email security with LLM-trained detection.

AI-Generated Polymorphic Malware

Generative AI enables threat actors to produce functionally equivalent malware variants at machine speed, each with a unique code structure, variable naming, and execution flow. Traditional signature-based AV cannot keep pace — by the time a signature is written, the AI has generated thousands more variants.

Research presented at Black Hat 2024 demonstrated AI-generated shellcode that passed multiple commercial SAST scanners and AV tools simultaneously. The generated code was functionally identical to known malware but structurally novel. Only behaviour-based EDR with kernel telemetry and ML classifiers trained on execution patterns — not file signatures — reliably detected these payloads.

Autonomous Vulnerability Discovery

Google's integration of LLMs with OSS-Fuzz (AI-enhanced fuzzing) discovered 26 new open-source vulnerabilities in weeks, including a 22-year-old bug in OpenSSL. Threat actors using analogous techniques are compressing the time between vulnerability discovery and weaponisation. The defender's patch window — already measured in days post-disclosure — is shrinking further under AI-assisted exploitation.

Deepfakes and Synthetic Identity

Audio and video deepfake tools now produce convincing synthetic media from a few seconds of reference audio or a handful of photos. Real-world weaponisation includes:

CFO deepfake vishing: Attackers clone executive voice/video from conference recordings, call finance teams to authorise urgent transfers. $25M lost in one confirmed 2024 case.
MFA bypass via voice cloning: Calling IT help desks with cloned executive voice to request MFA resets — the attack that compromised MGM Resorts.
Synthetic identity fraud: AI-generated synthetic identities (photos, documents, credit histories) opening accounts for money laundering and fraud.

Adversarial Machine Learning: Attacking AI Defences

Evasion Attacks

Evasion attacks craft inputs that cause ML models to misclassify without detecting the attack. In cybersecurity, this means:

Malware evasion: Adding benign code sections, obfuscation, or semantic-preserving transformations to shift feature vectors below malicious classification thresholds
Network intrusion evasion: Crafting attack traffic with statistical properties that match normal traffic profiles, fooling anomaly detectors
PDF/document evasion: Embedding malicious macros with document structure that matches benign files in ML feature space

Data Poisoning

Supply chain attacks targeting AI systems poison training data to corrupt model behaviour. Attack vectors include: compromised threat intelligence feeds, poisoned malware sample repositories (VirusTotal manipulation), synthetic "benign" samples injected to move the decision boundary, and label-flipping attacks that reclassify malicious samples as clean in training datasets.

The consequence: a poisoned ML-based email security model consistently misclassifies phishing emails from specific domains as legitimate. The attack is silent, durable, and extremely difficult to detect without continuous model performance monitoring.

# Conceptual poisoning: shift classification boundary
# Attacker injects "clean" samples near the malicious cluster
# causing the model to create a blind spot at the cluster edge

Training data manipulation:
  Original: 100 malicious samples (cluster A)
  Injected: 50 synthetic "benign" samples near cluster A boundary
  Effect: Decision boundary shifts, cluster A edge misclassified as clean
  Blind spot: Malware variants in injected region bypass classifier

AI-Powered Defensive Capabilities

UEBA and Behavioural Analytics

User and Entity Behaviour Analytics (UEBA) platforms establish statistical baselines for normal activity — login times, data access volumes, network destinations, command execution patterns — then flag deviations exceeding threshold. Machine learning enables dynamic baselines that adapt to legitimate behaviour changes while flagging anomalous ones.

Graph Neural Networks for Lateral Movement

Individual authentication events, process launches, and network connections look unremarkable in isolation. Graph neural networks model relationships between entities — users, machines, services, data stores — and detect suspicious traversal patterns that only become visible when the complete graph is analysed. An attacker who logs in normally, elevates privileges through a service account, and accesses three servers over 72 hours generates no individual alert — but their graph traversal pattern is highly anomalous.

LLM-Augmented SOC Operations

Security operations centres face an alert volume crisis: SOC analysts receive hundreds of alerts per shift, with false positive rates exceeding 50% in many environments. LLM-powered analysis layers (Microsoft Sentinel Copilot, CrowdStrike Charlotte AI, Google SecLM) allow analysts to:

Query SIEM data in natural language: "Show me all processes launched by svchost.exe in the last 24 hours that made outbound connections to non-standard ports"
Get automated investigation summaries: LLM analyses the alert, pulls relevant threat intelligence, and presents a natural-language investigation brief
Generate response playbooks: LLM drafts containment and remediation steps based on the specific alert context

Defensive AI Architecture

AI-Powered Security Architecture
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                    ┌─────────────────────────────┐
                    │      THREAT INTELLIGENCE     │
                    │  OSINT · STIX/TAXII · ISAC   │
                    └──────────────┬──────────────┘
                                   │
┌──────────┐   ┌──────────┐   ┌────▼─────┐   ┌──────────┐
│  EMAIL   │   │ ENDPOINT │   │   SIEM   │   │ NETWORK  │
│ AI Filter│   │  ML EDR  │   │   + AI   │   │  NDR AI  │
└────┬─────┘   └────┬─────┘   └────┬─────┘   └────┬─────┘
     │              │              │              │
     └──────────────┴──────────────┴──────────────┘
                              │
                    ┌─────────▼─────────┐
                    │   LLM SECURITY    │
                    │   ANALYST LAYER   │
                    │  Natural Language │
                    │  Investigation    │
                    └─────────┬─────────┘
                              │
                    ┌─────────▼─────────┐
                    │  SOAR AUTOMATION  │
                    │ Autonomous Response│
                    │ Human Escalation  │
                    └───────────────────┘

Tools & Frameworks

Category	Tool/Framework	Use Case
Threat Knowledge	MITRE ATLAS	ML adversarial tactics and techniques taxonomy
ML Security Standards	OWASP ML Top 10 / LLM Top 10	Risk framework for ML and LLM applications
Regulatory	NIST AI RMF, EU AI Act	AI risk management and compliance
AI-Powered SIEM	Microsoft Sentinel Copilot, Google SecOps	LLM-augmented threat investigation
AI EDR	CrowdStrike Falcon, SentinelOne Singularity	ML-based endpoint threat detection
AI Email Security	Abnormal Security, Proofpoint Nexus	LLM-trained phishing detection
Adversarial ML Defence	IBM Adversarial Robustness Toolbox	Testing ML model robustness

Common Organisational Mistakes

Treating AI security tools as "fire and forget": ML models drift, degrade, and can be poisoned. Continuous model performance monitoring is essential.
Underestimating deepfake social engineering: Existing voice/video verification procedures were not designed to detect AI-generated synthetic media. Callback verification over pre-agreed channels is the only reliable countermeasure for high-value authorisations.
No adversarial testing of AI security tools: Security teams rarely red-team their own ML classifiers. Vendors need to be challenged with adversarial samples routinely.
Ignoring MITRE ATLAS: Most threat modelling exercises use ATT&CK but ignore ATLAS. Any organisation deploying AI systems must threat-model those systems using ATLAS as the framework.
Relying on signature-based AV alongside AI EDR: The combination creates false confidence. AI-generated polymorphic malware bypasses signatures entirely. Behavioural detection is the primary layer.

Implementation Strategy

Step 1: Deploy AI-powered email security with LLM-trained detection before any other AI investment — email is the #1 initial access vector
Step 2: Implement FIDO2 hardware MFA enterprise-wide — renders LLM-powered phishing campaigns ineffective even when content is convincing
Step 3: Deploy AI-augmented SIEM with UEBA capabilities — 30-day baselining period before alerts go live
Step 4: Establish ML model governance: inventory all AI security tools, define performance KPIs, implement monitoring for model drift and poisoning indicators
Step 5: Threat model all AI systems using MITRE ATLAS — identify your AI-specific attack surface before adversaries do
Step 6: Red-team AI security tools quarterly with adversarial samples — validate that detectors still work against current evasion techniques

Future Research Directions

The AI security landscape in 2027+ will be shaped by: autonomous AI agents with persistent access to enterprise systems creating new insider threat vectors; multimodal deepfakes combining real-time video, audio, and document generation; AI-vs-AI attack/defence races where offensive AI automatically probes for weaknesses in defensive AI; quantum-AI intersection where quantum computers accelerate ML model training for both attack and defence optimisation.

The most significant open research question is: can AI-powered defences scale faster than AI-powered attacks, or does the asymmetry fundamentally favour attackers? Current evidence suggests that well-resourced defenders with AI investment can maintain parity, but the gap between well-resourced and under-resourced organisations is widening rapidly.

Expert Conclusion

AI has irreversibly changed the cybersecurity equilibrium. Organisations still relying on signature-based detection, human-speed threat response, and rule-based security logic are structurally disadvantaged against AI-augmented adversaries. The response is methodical: AI-powered defence investment, adversarial ML resilience testing, and AI security governance as a first-class discipline.

The security leaders who will succeed in this environment are those who understand AI not as a product to purchase, but as a capability to develop — with the same rigour applied to training models, monitoring performance, and testing robustness as to any other critical security control.

Frequently Asked Questions

Can AI generate undetectable malware?

What is adversarial machine learning?

What is MITRE ATLAS?

How is AI used in spear phishing?

What is an adversarial example in AI security?

How does AI improve threat hunting?

What is AI model poisoning?

Are deepfakes a serious enterprise threat?

What is the OWASP LLM Top 10?

How should organisations defend against AI-driven attacks?

Vikram Madane

Cybersecurity Researcher & Technical Project Manager

Lead Cyber Security Projects at RBI-IT. OSCP+ · PMP® 2025 · 13+ years securing enterprise BFSI & government systems at national scale. Active research in AI security, post-quantum cryptography, and zero trust architectures.

LinkedIn About Vikram Research Hub