Experiencing a breach?
Select Language
Request demo
Languages
Request demo
Back to Home

Partners

Partner offeringPartner success services
Back to Home

Resources

Resources Hub Resources
Back to Resources

Resources Hub

See all
Contact us
Back to Resources

Resources

Success storiesWebinarsEventsPodcastsPressroomBlogW/Labs
Contact us
Back to Home

About

About WithSecureLeadershipCompany contacts & officesCareers at WithSecureMuseum of Malware ArtAchievements & certificationsSustainabilityCompare UsVulnerability reward program
Contact us
Back to Home

Platform

Elements Cloud Elements capabilities
Back to Platform

Elements Cloud

See overview
Back to Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Back to Home

Solutions

Industry Use case
Back to Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Back to Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Back to Home

Login

Back to Home

Languages

English Finnish French German Japanese

When the attack takes seconds and the alert comes too late

AI MSP Proactive security 09 May, 2026

A well-configured environment. Latest patches. Internal firewall in place. Best practices followed. And still, a zero-day attack compromised the host in under a minute – fully automated, with the attacker barely lifting a finger. Here’s what that means for how MSPs need to think about security.

Key Takeaways:

  • AI-powered attacks now operate faster than any human response team can match
  • Zero-day vulnerabilities – including misconfigurations that will never receive a patch – are far more common than most organisations realise
  • Reactive security isn’t enough on its own anymore; the goal must be eliminating vulnerabilities before they can be exploited
  • Proactive security gives MSPs something tangible: proof that nothing went wrong because of what they did

A well-defended company. A compromised host. Under a minute.

Picture a company that’s done most things right. Windows 11, fully updated. A solid security posture. An internal firewall configured to prevent lateral movement – meaning even if an attacker got onto one machine, they couldn’t easily spread across the network.

To escalate privileges and disable that firewall, an attacker would first need to find and exploit a vulnerability on the initial host. In a well-patched environment, that should be hard.

It wasn’t.

A social engineering lure – a convincing fake browser update prompt – got a user to run a command. From there, an automated attacker tool scanned the host for vulnerable software, found a privilege escalation vulnerability in a Citrix telemetry component, replaced a file with a malicious payload, and disabled both the local firewall and Windows Defender. The whole sequence ran autonomously. The attacker could have been making coffee.

By the time the user noticed the firewall was off and called IT to turn it back on, the attacker was already persistent on the host. The firewall went off again before the IT administrator had walked back to their desk.

That’s the reality of machine-speed attacks. Reacting to them after the fact isn’t a security strategy. It’s damage control.

The vulnerability problem is bigger than most people think

The attack in this scenario used a zero-day – a vulnerability with no available patch, and in some cases, no patch possible.

Zero-days used to be rare and expensive. Finding them required deep expertise and significant time. AI tools are changing that. Attackers are now using AI to discover vulnerabilities that would previously have taken weeks to find manually – including highly specific weaknesses that exist on a single system, in a single customer environment, nowhere else.

Across real customer environments, more than 90,000 hosts have been found carrying vulnerabilities of exactly this type. And critically, many of them will never be patched. Some are CVE-registered software vulnerabilities. Others are combinations of system misconfiguration and software behaviour that no vendor will take ownership of – no CVE, no fix, no update. They simply exist, quietly, until someone finds them.

The honest reality for MSPs: every system your customers run deserves scrutiny. AI-powered attackers will give it that scrutiny whether you do or not.

Reactive security still matters – but it’s not enough on its own

XDR telemetry, alert detection, incident response – none of that becomes irrelevant. When an attacker moves more slowly, reactive capabilities can still catch and contain them. That matters.

But when attacks operate at machine speed, the window between compromise and containment narrows to the point where human response can’t reliably close it in time. By the time an alert surfaces, the attacker may already have what they came for – or be so deeply embedded that remediation becomes a major incident.

The more useful frame is: reactive security buys time when proactive security hasn’t eliminated the risk. The goal is to harden hosts well enough that, if a machine is compromised, the attacker stays contained on that one host until a defender can act. One infected machine to restore is a manageable problem. A network-wide compromise is not.

Proactive security is what makes that containment possible – and what can eliminate the risk entirely before the attacker ever gets the chance.

What proactive security actually looks like

The same attack, run against a company whose MSP had deployed both Exposure Management and XDR working together, produced a completely different result.

Before the attack arrived, the platform had already detected the Citrix telemetry privilege escalation vulnerability on the affected hosts. It had analysed sensor data, identified the risk, and surfaced a clear description of the vulnerability, what it meant, and how to mitigate it – without requiring the MSP’s team to do the investigative work manually.

Because uninstalling the component wasn’t an option, the recommended mitigation was a targeted permission change – less disruptive than isolation, equally effective at closing the vulnerability. A few clicks applied the fix across all affected hosts.

When the same attacker, using the same payload, hit this environment, the privilege escalation failed. The vulnerability they relied on no longer existed. Contained on the initial host with no path forward, the attack stalled. The attacker moved on to easier targets.

No major incident. No 2 a.m. call. No damage control.

The conversation this changes for MSPs

There’s a specific business value in this worth naming clearly.

Reactive security generates visible work. Incidents happen, the MSP responds, and the customer sees the effort. Proactive security, done well, creates the opposite: nothing happened, and customers don’t always connect that outcome to the MSP’s work.

But “nothing happened because of what we did” is actually the stronger conversation. It’s the difference between being the team that fixes problems and being the team that prevents them. That’s a harder thing to demonstrate – but it’s what proactive security makes possible.

When a vulnerability is found, mitigated, and documented before an attacker ever reaches it, the MSP can show exactly what they found, what they did, and what it prevented. That’s a tangible, defensible record of value delivered – not just effort expended.

In a market where AI-powered attacks are becoming the norm and mid-market organisations can’t build their own 24/7 security operations, MSPs who can demonstrate proactive prevention have a meaningfully different offer than those who can only promise fast response.

Frequently asked questions

Q: If a zero-day has no patch, what can actually be done about it? A: Patching is one mitigation, but not the only one. Misconfigurations can be corrected. Permissions can be restricted. Components can be isolated or removed. Exposure Management surfaces these options so MSPs can act without waiting for a vendor fix that may never come.

Q: How do you find vulnerabilities that don’t have a CVE? A: By analysing how systems are actually configured and how software components interact – not just by cross-referencing a list of known CVEs. The vulnerabilities that never get a CVE are often the most persistent, precisely because no patch is coming.

Q: Does proactive security replace the need for XDR and incident response? A: No. The two work together. Proactive security reduces the attack surface and eliminates vulnerabilities before they can be exploited. XDR catches what gets through. Incident response handles what XDR didn’t stop. The goal is to make the latter two capabilities needed as rarely as possible.

Q: What does “machine speed” actually mean in practice? A: In the scenario above, from the initial social engineering click to privilege escalation and firewall disabled was a matter of seconds. The entire sequence was automated – no human attacker typing commands, just AI-driven tooling executing a campaign at a pace no human defender can match in real time.

This is what security must look like now

Not next year. Not after the next major incident forces the conversation. Now.

The threat landscape has moved. AI tools have given attackers scale, speed, and the ability to find vulnerabilities that previously took significant expertise to discover. The organisations – and the MSPs serving them – that respond by staying in reactive mode are playing a game where the odds are increasingly against them.

The ones building proactive security into their offer are doing something different. They’re removing risk before it becomes an incident. They’re buying defenders time when prevention isn’t complete. And they’re building the kind of track record that turns security from a cost conversation into a trust conversation.

That’s stronger business. And stronger conversations with every customer.

 

This blog is based on Jarno Niemelä and Hannu Simonen’s keynote at SPHERE2YOU Helsinki in April 2026. Watch the full session at https://youtu.be/id5L68AI71I.

Share this story