AI has collapsed the attack timeline. Scanning the entire internet for exploitable vulnerabilities takes under two hours. Reconnaissance to compromise: six minutes. A security model that depends on human review before action is architecturally broken.
Key takeaways
✓ Internet-wide vulnerability scanning takes under two hours – and is heading towards minutes
✓ AI lets script-level attackers execute nation-state-grade attacks
✓ Zero-day vulnerabilities can now be discovered at scale using LLMs
✓ Six-minute attack timelines require automated response, not ticket queues
The asymmetry problem
The security industry talks a lot about AI improving defences. That conversation is valid – but incomplete. The same capabilities that help defenders find threats faster help attackers find vulnerabilities faster. And the access barrier is effectively zero.
A nation-state actor always had sophisticated tools. What has changed is that a script-level attacker with a commercial AI subscription can now execute attacks that previously required significant expertise and infrastructure. The attack surface has not grown. The population of capable attackers has.
How fast is fast?
Two numbers matter. First: it currently takes under two hours to scan the entire internet – every reachable IP and port – for known vulnerabilities. When a new vulnerability is disclosed, every exposed system globally can be identified in that window. Monthly patch cycles leave organisations exposed for weeks. That window is shrinking towards minutes with AI-assisted automation.
Second: in documented cases, the full cycle from reconnaissance to active compromise has taken six minutes. If your response process is: alert fires, analyst notified, ticket raised, response authorised, remediation executed – you are working in hours. The attacker is working in minutes. That gap is fatal.
Zero-days at scale
Zero-day vulnerabilities – flaws unknown to the software developer – were historically the domain of nation-state actors. That is changing. Large language models can identify novel software vulnerabilities at a scale and speed that was previously impractical, making zero-day discovery accessible to a broader range of adversaries.
When early AI-driven zero-day research was shared with roughly 50 US-jurisdiction organisations – with no equivalent access for European institutions – the asymmetry was stark. European defenders were at a disadvantage before they knew the threat existed. This is why European threat intelligence capability, built on European telemetry, is a strategic necessity, not a procurement preference.
What proactive security actually means
Proactive security continuously reduces the probability of a successful attack. It has three non-negotiable components:
- Continuous exposure management: a live, prioritised view of your attack surface – not a quarterly scan. Vulnerabilities found and remediated before attackers reach them.
- Intelligence-led detection: AI that filters telemetry down to ~50 actionable signals per 1,000 seats per month, so analysts focus on what matters rather than drowning in noise.
- Automated response: when a genuine threat is identified, containment begins automatically – isolating systems, blocking lateral movement – before human analysts engage.
Together, these capabilities close the window. If your exposure management system identifies a new vulnerability within the hour, your detection catches exploitation attempts in real time, and your automated response contains damage before analysts review the alert – the attacker’s six-minute advantage disappears.
AI plus human: not either/or
AI handles volume – telemetry ingestion, noise filtering, anomaly detection, initial response. Humans handle context – understanding what an anomaly means in a specific environment, making business-risk decisions, investigating complex incidents.
This combination is what makes enterprise-grade security viable for lean teams. A single IT professional, backed by a platform with AI-assisted analysis and 24/7 MDR coverage, can protect what would previously have required a nine-person SOC. The economics change. The capability does not.
Frequently Asked Questions
Q: How fast can attackers really move?
From reconnaissance to active compromise: six minutes in documented cases. Internet-wide vulnerability scanning: under two hours, trending towards minutes.
Q: What is a zero-day and why does it matter?
A vulnerability unknown to the software developer, and therefore unpatched. Traditional signature-based tools offer no protection – only behavioural detection catches it.
Q: Do AI security tools replace analysts?
No. AI handles volume and speed. Humans provide context, investigation depth, and judgment. The most effective operations need both.
Reactive security is no longer viable
The threat landscape is not waiting for organisations to upgrade their architecture. Attacks are accelerating, capable attackers are multiplying, and the exploitation window is collapsing. The organisations that stay ahead are those running continuous exposure management, AI-assisted detection, and automated response – not those filing the most thorough incident reports after the fact.
