The dominant story in cybersecurity right now goes roughly like this: AI is about to dramatically lower the cost of producing zero-days and weaponizing n-days. Agentic offensive tooling will scan, exploit, and pivot at machine speed. Jailbroken or purpose-built offensive models will commodify capabilities that used to require teams of specialists. A vulnpocalypse is coming.
A lot of that is probably right, in part. The volume of offensive capability is going up. The cost curve is bending. That much is fair.
But the narrative tends to stop there. It treats the defender as static - same tools, same blind spots, same economics - facing an attacker that just got more leverage. That assumed asymmetry is what makes the story sound like an apocalypse.
Looking at the actual research and product landscape, that framing misses the other half of what’s happening. The same shift is, in many cases, handing defenders a set of capabilities that didn’t exist at scale a few years ago. Few people are talking about them loudly because they don’t fit the panic narrative. But they’re the things I’d watch on a 6, 12, 24-month horizon.
Five of them, in rough order of how much I think they matter.
1. Post-authentication visibility, finally
For two decades, security has been mostly blind once an attacker is past the perimeter or past an auth boundary.
EDR sees, at minimum, process and file signatures. Network detection sees flows and known-bad indicators. SIEM correlates after the fact. Low- and medium-interaction honeypots see scans, banner grabs, weak credential attempts - pre-auth noise.
Each of those tools is necessary, well-engineered, and getting better every year. That isn’t the issue.
What those systems still don’t see well is the operator. An attacker - human or agentic - making decisions inside an environment they believe is real. Which directories do they enumerate first. What credentials do they try to escalate with. Which lateral path do they take when two are available. Where do they pause. What do they exfil first.
That signal has historically only been available to a few well-resourced threat intel teams running bespoke deception, or to incident responders piecing it together after a breach. The rest of the industry has often treated post-auth as a black box and tried harder to prevent the auth from being breached in the first place. Reasonable strategy. Incomplete one.
What’s changed: the cost of standing up high-fidelity, high-interaction deception at scale is, for the first time, within reach of normal defensive teams. Spinning up convincing, instrumented decoy services - full applications, full operating systems, full data - is no longer a research project for most use cases. It’s becoming an operational capability.
The implication isn’t “honeypots replace EDR.” It’s that for the first time, a defender of normal size and budget can have a continuous, structured view of what an attacker actually does once inside. That’s a category of visibility we’ve often been pretending we had via logs, but didn’t.
If you read the threat landscape and conclude that post-compromise dwell time and lateral movement are where most damage happens, the question that follows is uncomfortable: what do you actually see once an attacker is past the front door? For most organizations, the honest answer remains not much. That’s the gap closing.
2. Agentic attackers leave fingerprints
If you’ve watched an LLM-driven agent attempt a task, you know it has a behavioral signature. It’s exhaustive in ways humans usually aren’t. It’s fast in ways that don’t match human pacing. It fails in characteristic patterns - repeated retries on the same syntactic mistake, prompt leakage in error paths, over-narration of intent in tool calls, decision sequences that follow training-corpus structure rather than environment structure.
The same is true when those agents are pointed at offensive tasks. Recon at uncharacteristic breadth. Exploit attempts that try every known variant against a target rather than reasoning about which variant fits. Lateral movement that prefers the canonical path documented in textbooks over the actual path that makes sense in this specific environment.
This is fingerprintable. And it’s increasingly fingerprintable cheaply, because the fingerprints don’t require zero-day detection or deep packet inspection - they’re behavioral, observable in command sequences and timing.
We’re early on this. Published work is thin and most of what’s known is internal to a few teams. But “tell agentic recon apart from human recon” is a tractable detection problem, not a science-fiction one. Counter-intelligence on agentic adversaries - including coarse attribution back to the family of model or tooling driving them - is, in my view, a real defensive primitive on a 6 to 24 month horizon, not the decade.
The thing to notice: this is a capability that didn’t exist at all five years ago. It’s a defensive lane that opens because of the offensive shift, not in spite of it.
3. Deception finally scales
The classic objection to honeypots and deception was economics. Convincing decoys are expensive to build and maintain. A handful of static honeypots in a flat network are easy for a competent attacker to skip.
That objection was correct. It is starting to expire.
Generating coherent fake services, fake data, fake user behavior, fake logs - at the volume and quality needed to make decoys credibly outnumber real assets - used to be a multi-year program inside a research org. The same models that worry the offensive side make this a tractable engineering problem on the defensive side.
The consequence is interesting: in the limit, an agentic attacker facing a high-density decoy network starts wasting the very advantage AI gave it - breadth. Speed and exhaustiveness, the things AI gives the attacker, are exactly the things decoy density punishes. The attacker who would have surgically picked three real targets out of a small honeynet now has to triage a sea of high-fidelity ambiguity.
Deception was always a good idea that didn’t scale. That’s the part that’s ending.
4. Defensive prompt injection
This one is edgier, and the field is genuinely split on whether it’s a good idea. I’ll describe what’s possible rather than advocate.
Agentic offensive tools read what they encounter. They read web pages, file contents, banners, error messages, configuration files, READMEs, source code. Anything they parse is, in principle, an instruction surface.
That’s a vulnerability for the attacker.
A decoy environment can be seeded with content that, when read by an LLM-driven agent, deflects, fingerprints, or logs that agent in ways the agent doesn’t realize. Not as a parlor trick - as a defensive primitive. The prompt-injection attack surface that’s been a headache for defensive AI deployments is, on a deception system, an asymmetric tool for the defender.
This raises real questions - operational, legal, ethical, scope-of-defense. But the primitive works, and it’s cheap. We’ll likely see it deployed in the wild on both sides over the next 6 to 24 months, and the boundary between defensive and offensive use will be debated for a long time after.
5. Detection at machine speed
The asymmetry argument cuts both ways. If agentic offense can reason across logs, configs, and code at speeds humans can’t match, agentic defense can correlate signals across logs, telemetry, and historical incidents at the same speed.
This is the least flashy item on the list and probably the most consequential operationally. Time-to-detect for sophisticated intrusions has historically been measured in months. The bottleneck has rarely been we didn’t have the data. It’s been no human was going to read all of it.
That bottleneck is moving. Not gone - but moving. Defensive agents that read everything, correlate continuously, and surface narratives rather than alerts are a different operating model than the SOC of 2020. The good versions don’t replace analysts; they get out of their way.
A pattern from the last big shift
It’s worth remembering, even if it’s uncomfortable, what happened the last time the security community saw a major offensive shift coming.
From roughly 2017 onwards, the people reverse-engineering ransomware payloads were sounding clear, public warnings. The code was getting more professional - version numbers, modular builds, proper release cycles, specialized roles between operators, brokers, and developers. Volume was rising. Variety was rising. The pattern was visible to anyone looking carefully, years before it hit mainstream attention.
The advanced defensive industry - IR teams, mature SOCs, threat intel - was specifically worried that enterprises were standing up detection projects without a matching investment in containment, neutralization, and post-compromise response. The implicit bet across most organizations was that better detection would be enough.
Then the wave arrived. Through 2020 and 2021, in the worst possible window - hospitals during the COVID-19 pandemic, manufacturers, municipalities, mid-market companies across the world - many of the organizations that had bet purely on detection lost data, paid ransoms, or were operationally crippled. Detection alone, without the corresponding containment and post-compromise capability, often turned out not to be enough. Some of the consequences, particularly in healthcare, were severe.
The industry has since corrected. The lessons of 2020 are now reasonably well absorbed at the practitioner level.
The uncomfortable observation is that we now appear to be in roughly the same configuration as 2018-2019 - just with a different threat shape. The wave is being announced. Experts are publishing. The narrative is loud. And once again, the defensive equipment that would actually create a step-change - post-auth visibility, scaled deception, agentic fingerprinting, machine-speed correlation - is not yet being deployed at the scale the situation suggests.
I want to be careful here, because I genuinely don’t like fear-driven security marketing, and I don’t believe traditional techniques are obsolete. EDR, MFA, segmentation, patching - all still essential. The point isn’t that they fail. The point is that they were never designed to give defenders a usable view of an agentic operator inside an environment they think is real, and they aren’t going to acquire that capability simply by being upgraded.
The risk, in other words, isn’t really that the apocalypse arrives. The risk is that in 2027 or 2028, careful retrospectives describe this period as another announced wave that the industry watched coming and chose not to equip against - because the equipping required was unfamiliar, and the panic narrative crowded out the operational one.
We’ve been here before. It would be useful not to be here again.
Where this leaves the framing
None of this makes the offensive shift unimportant. Volume of capability matters. Cost of attack going down matters. The teams reporting that operational red-team work is moving faster aren’t lying.
But the framing of AI breaks security rests on an assumption that defense is static while offense gets new tools. That assumption, in general, is the part I’d push back on, calmly.
The hard part isn’t proving these defensive primitives exist. The hard part is making them operationally boring enough to survive real enterprise constraints - messy networks, alert fatigue, change management, procurement timelines, skill gaps, legacy stacks. That’s where the industry’s energy should be going on the 6, 12, 24-month horizon. Not on whether deception, fingerprinting, post-auth visibility, and machine-speed detection can work - they can - but on making them ordinary.
Looking at the dynamics, the next 6 to 24 months in security probably aren’t a vulnpocalypse. They’re a redistribution of who has visibility, who can fingerprint whom, and where the asymmetries sit. Some of those redistributions hurt defenders. Several of them help - meaningfully, and on a faster timeline than the panic narrative suggests, if the industry actually picks them up.
The risk to the industry isn’t getting the threat wrong. It’s getting overwhelmed by the threat narrative, missing the defensive shift happening alongside it, and failing - again - to equip during an announced wave. Bad advice during a period of bad framing has a real cost.
The honest summary: protect your VPNs, use MFA - and start treating post-auth visibility, agentic fingerprinting, scaled deception, and machine-speed detection as the defensive primitives they’re becoming, not as research curiosities. The asymmetry isn’t moving in only one direction. Whether the industry moves with it is still an open question.
Personal view, obviously shaped by what we’re building at OHIIHO on high-interaction honeypot infrastructure, and by conversations with practitioners across APAC. All five items above exist in early form today. What remains open is which ones become operational defaults, and how fast.