The Collapse of Predictive Security in the Age of Machine-Speed Attacks

The new reality in 2026 is the predictive window has collapsed. By the time a defender can predict and disrupt an attack, it is already too late. Criminal exploitation of high risk vulnerabilities is increasing in both volume and speed. The cause is partly AI, but mostly due to the industrialization of cybercrime. Internet access brokers (IABs) are more efficient, while criminals are increasingly adopting smash and grab tactics (more accurately, perhaps, ‘silent entry and grab’}: enter, exfiltrate, and depart. The effect is that predictive security is failing. There isn’t time to predict and prevent an attack because exploitation is too fast. “Risk is realized almost immediately after a vulnerability is operationalized,” states a new Rapid7 analysis report.  “It’s just a few days from vulnerability disclosure to exploitation in the wild,” explains Christiaan Beek, VP of cyber intelligence at Rapid7. There’s no time for the vendor to issue a patch and the defender to install it. “The actors are already exploiting it – the predictive window has collapsed.”  The Rapid7 report calls for a switch from predictive security to preemptive security. “Preemptive security means reducing the conditions attackers rely on before exploitation occurs, detecting and responding with full environmental context, and prioritizing action based on material risk, not alert volume.” Internet access brokers are a primary cause for this necessary shift in defense, and the success of infostealers are key to the IABs’ efficiency. “Infostealers provide a gold mine of information that attackers can use,” comments Beek. The logs work both ways, of course: defenders are able to gain the same logs, understand their credentials are on the dark web, and immediately respond and change or rotate them. That’s an intelligence based preemptive action rather than predictive response.  Elsewhere in defense, preemption includes the basic security hygiene that we still fail to do – obvious actions like properly implemented MFA, credential rotation, control and regulation of OAuth tokens, encryption, automatic auditing of additions to the environment (such as SaaS apps) and more. Hygiene is not, however, fail-safe. AI-assisted social engineering spear-phishing is becoming more sophisticated and more successful. Credentials stolen in this manner may never appear in the logs absorbed by the IABs – especially if the actor is a nation-state APT acting by itself, for itself. APT activity always increases whenever geopolitical tensions rise. They have been high for several years, are continuing to grow and spread, and show no immediate sign of contraction. This situation amply illustrates the need for security to move from predictive to preemptive. Security should no longer react to signals that an attack may happen (predictive) but assume that attacks will happen and prevent them or limit their potential blast radius (preemptive). So far, AI-assisted spear-phishing is almost self-contained. There is no sign yet of criminals using their own agentic systems to provide autonomous attacks following a successful phish. “I haven’t seen that,” says Beek. “For now, criminals are content with buying access from the dark web logs.” The use of AI in the actual attack has not yet materialized – but that time is surely coming.  “I believe within the next few years virtually all cyberattacks will be AI-based – swarming, tailored, and relentless,” commented Kevin Mandia recently. “They will be untethered to human limitations and capable of executing on a scale we have never witnessed before.” But that’s for the future. For now, defenders must defend against the current situation. Failure to do so is illustrated by the continuing rise of ransomware over the last year. “Ransomware has matured into a speed-optimized access economy,” says Rapid7. “Total ransomware leak posts increased from 6,034 in 2024 to 8,835 in 2025 (a 46.4% YoY rise).” 2024 was bad; 2025 was worse. The total number of ransomware groups continues to grow, and the combination with data blackmail expands. It now typifies the ‘silent entry and grab’ modus of criminal operation. “It’s no longer purely native ransomware,” says Beek. “Criminals grab the data, don’t even install the ransomware, but then try to sell the data on several forums or public sites.” One thing could assist defenders switching to preemptive defense. The attackers haven’t suddenly started using new attack methodologies – they are simply doing what they have always done more efficiently and much faster. Pre-emptive security requires assuming that those attacks will happen – so rather than wait for them, we need to get ahead and prevent their success.  “To effectively manage cyber risk in 2026, organizations must adopt a fundamental mindshift toward preemptive security,” says Rapid7. “This means moving beyond a reactive, volume-based vulnerability management approach and embracing an exposure management model focused on informed prioritization and anticipation… Success will be defined by the capacity to connect technical exposure to business impact and apply AI-augmented workflows to match the adversary’s machine speed.” But it also requires reaffirmation of basic security hygiene. “We’re still seeing the same weaknesses happening,” comments Beek. “So, it’s all that basic hygiene and stuff we still seem not to do – and the numbers and the attacks reflect that.” There’s no sudden leap in attacker sophistication or intent. The change is in the speed with which attackers weaponize and exploit vulnerabilities. So, understanding what the attacker wants from your company, and understanding the business severity of their different actions, allows defenders to preempt disaster by preparing the battleground before the inevitable battle begins. Preemption requires understanding the attacker and understanding your own infrastructure and business. It’s not a new concept. “If you know the enemy and know yourself,” [and prepare and preempt accordingly], “you need not fear the result of a hundred battles.” Related: Inside the Dark Web’s Access Economy: How Hackers Sell the Keys to Enterprise Networks Related: Silent Push Raises $10 Million for Preemptive Threat Intelligence Platform Related: How Agentic AI will be Weaponized for Social Engineering Attacks Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend AI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks CISO Conversations: Aimee Cardwell ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Kevin Mandia’s Armadin Launches With $190 Million in Funding Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Hacker Conversations: Inti De Ceukelaire, Raging Against the Machine Creatively How Pirated Software Turns Helpful Employees Into Malware Delivery Agents Quantum Decryption of RSA Is Much Closer Than Expected Latest News Autonomous Offensive Security Firm XBOW Raises $120M at $1B+ Valuation Cloud Security Startup Native Exits Stealth With $42 Million in Funding ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors Virtual Summit Today: Supply Chain & Third-Party Risk Summit EU Sanctions Chinese, Iranian Firms Supporting Hacking Operations Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Manifold Raises $8 Million for AI Detection and Response Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Nudge Security has appointed Patrick Dillon as Chief Revenue Officer. Arctic Wolf has named Will May as its Chief Revenue Officer. Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email