SANS: Top 5 Most Dangerous New Attack Techniques to Watch

THREAT INTELLIGENCE CYBER RISK CYBERATTACKS & DATA BREACHES CYBERSECURITY OPERATIONS NEWS SANS: Top 5 Most Dangerous New Attack Techniques to Watch For the first time, SANS Institute's five top attack techniques all have one thing in common – AI. Becky Bracken,Senior Editor,Dark Reading March 25, 2026 6 Min Read SOURCE: PHITOON PROMKUNPITAK VIA ALAMY STOCK PHOTO RSAC 2026 CONFERENCE – San Francisco – Each year SANS researchers head to the RSAC Conference to reveal the five top attack techniques. But 2026 marks a distinct shift: all are powered by artificial intelligence.   “We would be lying to you if we pointed out a trend in attacks that did not involve AI,” SANS president and presentation moderator Ed Skoudis explained to the audience during a keynote session covering the Top 5. “That is just where we are in the industry.”  Attack Technique #1: AI-Generated Zero Days, From Scarcity to Surplus Zero-day exploits used to belong solely to well-funded nation-state actors stacked with sophisticated researchers. But that barrier to entry into the zero-day game has been shattered by AI, according to Joshua Wright, faculty fellow and senior technical director of the SANS Institute. In fact, Wright points out that independent researchers have discovered AI zero days in widely deployed production software that run attackers as little as $116 in AI token costs; quite a savings of the millions of dollars more sophisticated actors had been previously investing in finding these zero days.  Related:Iran Hacktivists Make Noise but Have Little Impact on War “Attackers were already faster than us,” Wright said. “AI has made the gap unbridgeable at our current pace." It’s up to organizations to get faster to keep up, adding that can be achieved with accelerated patching, automation, and AI-powered defense tools, Wright advised.  Attack Technique #2: Supply Chain Risks, Your Vendor's Vendor's Vendor Two out of three organizations were affected by a software supply chain attack over the past year, and there’s also been a surge in third-party involvement in breaches, and the number of malicious packages published to open source registries, Wright said.  He pointed out that the Shai-Hulud worm has infected more than a thousand open source packages and exposed 14,000 credentials across 487 organizations. Likewise, a China-affiliated group compromised the Notepad++ update infrastructure for six months, selectively delivering backdoors to targets in the energy, finance, government, and manufacturing sectors. "Your attack surface is not the software you chose. It is the entire ecosystem of suppliers behind it,” Wright said.  It’s smart to plan for the next supply chain compromise before it happens, he advised. To adapt, organizations should plan for supplier compromise before it occurs, by demanding not just a list of materials, but verifiable proof of how software the was built, he said. Also, organizations should consider every update channel and developer tool their teams depend on daily as a potential supply chain risk.  Related:How a Large Bank Uses AI Digital Twins for Threat Hunting Attack Technique #3: OT Complexity & Root Cause Crisis Robert Lee, SANS Institute fellow and CEO/founder of Dragos, explained that his deep experience gained over years working on OT incident response has helped him recognize what he called a "growing accountability crisis." Network activity and other critical evidence following an OT compromise is often not available -- the data often simply evaporates, Lee warned.  A good example of this sort of logging risk was a December 2025 attack on Poland's distributed energy resources that Dragos worked on, Lee explained. Investigators were able to confirm disruption had occurred, but there was no visibility into what the threat actor was doing inside the systems following the breach because of a lack of OT monitoring in place.  In another instance, a state-level threat actor with intent to destroy equipment and "kill people" had been targeting a facility that had no visibility into their infrastructure, he said, without naming the victim. A month later, the facility exploded. Chillingly, investigators still don’t know if the destruction came from an attack or was simply an accident, Lee said.  Related:Cyber OpSec Fail: Beast Gang Exposes Ransomware Server "Governments are not going to be comfortable not knowing what happened in their critical infrastructure and why someone died,” Lee said. “That scenario is unacceptable, and it is already happening." Making matters worse, agentic AI is already in OT environments, he added, and organizations need to catch up and gain more visibility into these systems. He warns that the investment in added visibility into OT systems cannot wait until the next catastrophe forces the issue.  Attack Technique #4: The Dark Side of AI, Irresponsible Use in Digital Forensics & Incident Response As one of the world’s leading DFIR experts, Heather Barnhart, head of faculty and senior forensics expert at the SANS Institute, said that organizations that are deploying AI without training, validation frameworks, and investigative discipline, are setting themselves up for failure.  AI doesn’t know what to look for and can’t interpret evidence in the same way a human can, she added. And AI rendering a confident incorrect verdict isn’t helpful and certainly doesn’t save any time or resources during a response, Barnhart said.  "Most breaches don't fail because of tools,” Barnhard said. “They fail at decision points. AI cannot be the decision point.”  She reminded organizations that AI is also being used against vectors no one is monitoring, like AI notetaking tools. The attack surface has ballooned well beyond the network, and trained humans need to be empowered with decision making authority every step of the way, Barnhart added.  Attack Technique #5: Find Evil: The Race to Autonomous Defense Rob Lee also said security researchers estimate that AI-driven attacks move 47 times faster than old-school, human-powered approaches. That means threat actors can take a stolen login and spin it into full admin control in an environment like AWS in less than 10 minutes.  Take a November Anthropic-documented campaign as an example. Known as “GTG 1002,” and attributed to a Chinese state-sponsored group, the operation targeted more than 30 government and financial organizations and used AI tools to automate up to 90% of the attack process, including reconnaissance, exploitation, and lateral movement inside networks. Much of the damage was done without any human help. So how can defenders respond?  "They have their artificial intelligence,” Lee said. “Now we build ours." He pointed to Protocol SIFT, an open source initiative from SANS Institute designed to help defenders catch up with AI-wielding attackers. It uses AI to organize workflows, surface insights, and coordinate tools. Meanwhile, humans are responsible for validating results and making decisions.  “The goal is to accelerate analysts, not replace them, and early results suggest that the model can significantly compress response times,” Lee said.   In one response exercise involving a sophisticated, two-week attack scenario, an analyst used Protocol SIFT to wrap up the entire investigation in a little less than 15 minutes, including identifying the malware, mapping the attacker’s movements, and aligning the tactics, techniques, and procedures (TTP) activity to known frameworks, and determining next steps. It’s the ability for defenders to move react quickly and coordinate across the global security community that will give defenders a true edge over attackers, Lee added.    RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Becky Bracken Senior Editor, Dark Reading Becky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio, print, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading Confidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition, she oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly as a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for Threatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE