AI and the New Offensive Playbook of State-Sponsored Cyberthreat Actors

Our founder, Abhijith B R, was at RSA Conference 2026 in San Francisco on 25 March for a panel on how state-sponsored cyber threat actors are putting AI to work. The room was packed out, which tells you where this topic sits on people's minds right now. Seeyew Mo from DEF CON moderated. He is a former White House cyber official who served as Assistant National Cyber Director for cyber workforce, training and education at the Office of the National Cyber Director, where he led the rollout of the National Cyber Workforce and Education Strategy, and he has also been involved with CyberMaryland. Paul McCarty of OpenSourceMalware and Adam Pennington of MITRE ATT&CK rounded out the line-up. Abhijith was wearing two hats at the conference that week, since he was also hosting Adversary Village, the community he built around adversary simulation and threat-informed defense. He spoke from that side of the table, sharing what he keeps running into in the field: offensive security teams and real threat actors are both leaning on AI now, not just to launch attacks, but to build their tooling, churn through and analyze the data they collect, and generally get more done in less time.

If there was one theme the panel kept coming back to, it was that AI has not really invented a new kind of attack. It has just made the old ones quicker and a lot harder to catch. It is the same weaknesses organizations have always had, only now they get hammered at a speed no human team can match, an exposed credential surfaced and a foothold turned into network-wide access before anyone notices. Phishing is the easy example. The bad grammar and clumsy pretexts we spent years training people to spot are gone, because a model will write a clean, believable lure, copy someone's tone of voice, or stand up a convincing fake portal in seconds. Pair that with automated recon, exploitation an agent can carry, and malware that gets reshaped on the fly to slip past detection, and you are looking at an offensive playbook that scales like software.

To be clear, nobody on stage was selling AI as the answer. A recurring warning was not to tear out defenses that already work and pour the money into AI instead, a move some teams are making and one the panel saw as a real mistake. These tools are genuinely good at gathering and summarizing information, but they still fall apart on the harder analysis, so whatever they produce, detection logic included, needs a human to check it before you lean on it. AI also brings problems of its own, from prompt injection to quietly tampering with the answers a model hands back. Adam Pennington put the defender's side of it plainly: the pace has gotten almost impossible to keep up with, which is the whole reason resilience matters more than trying to block every last intrusion. You assume some of them land, and you build to take the hit.

For us, that is the entire case for emulation. You cannot get ready for an adversary moving this fast by guessing how they might behave. You put the real tactics in front of your team and watch what actually happens. That is the work we do at BreachSimRange every day, threat-led red teaming, breach and adversary simulation, and security control validation built around how AI-augmented attackers operate now, not how they operated a few years ago. It is a simple idea: let your detections, your responders and your people get tested while the stakes are low, so the first time they run into this is not the day a real attacker decides to find out for them.