Klaerenn
⌘K
Klaerenn
English

Final report, 2026. Third officer reporting.

600 million records exposed. 50 major organizations compromised. EDR in place, SOC operational, compliance achieved. They were still breached. 2025 in review.
Final report, 2026. Third officer reporting.

In cyberspace, no one can hear you scream.

600 million records exposed in France alone. Over 50 major organisations compromised. Among them: LVMH, Dior, Cartier, Air France. The Interior Ministry. Eight regional health agencies. Three of the four largest telecom operators.

Organisations with budgets, security teams, industry-standard defences. Compromised anyway.

Across the Channel, the same pattern. Jaguar Land Rover's September breach halted production for months — the ONS (Office for National Statistics) attributed part of November's GDP decline to the attack. Marks & Spencer reported £206 million in costs. The Foreign Office confirmed a breach in December.

The same week, the European Space Agency disclosed an intrusion on its development servers — second incident in two years.

The obvious question: why wasn't it enough?

The usual answer is negligence or lack of resources. The 2025 data suggests something else.

The paradox

These organisations ticked the boxes. EDR deployed, SOC operational, compliance validated. Still breached.

Either they were all negligent despite their resources. Or something has changed that renders these defences insufficient.

What the 2025 reports document

Microsoft, Google, and Anthropic published converging analyses in autumn 2025.

Microsoft observes that AI-assisted phishing achieves a 54% click rate, compared to 12% for traditional phishing. That's 4.5 times more effective. A potential 50-fold increase in profitability.

The report also notes 225 AI-generated content samples in state-sponsored operations. Two years ago: zero.

Google identified 57 state-sponsored groups using generative AI tools. More significantly: the emergence of malware that embeds language models in its execution.

PROMPTFLUX rewrites itself every hour by querying an LLM. PROMPTSTEAL, attributed to Russian group APT28, generates its system commands dynamically rather than hardcoding them.

Anthropic documented what it describes as the first large-scale cyberattack executed without substantial human intervention.

An AI agent mapped target networks, discovered vulnerabilities, extracted data. At what researchers called a speed "impossible for human hackers": thousands of requests per second.

Thirty organisations targeted, several successfully compromised. Total human intervention: roughly 20 minutes.

These three reports reach the same conclusion: AI is moving from support tool to active attack component.

Infrastructure under strain

While attackers are scaling up, the global reference infrastructure shows signs of exhaustion.

The US government experienced 43 days of shutdown. CISA operated at 35% staffing.

The NVD backlog exceeds 20,000 unprocessed vulnerabilities. MITRE now uses an LLM to compensate for "lack of time or expertise" among its analysts. 24% of their database required re-examination.

32% of vulnerabilities are exploited on the day they're published. Patches still take weeks to deploy.

In September 2025, 78% of actively exploited vulnerabilities had not yet been flagged by the federal agency responsible for tracking them.

The alert system can no longer keep pace.

What changes in 2026

The tools that enabled these attacks are democratising. The MCP protocol has become an open standard. Open-source models offer comparable performance at a fraction of the cost.

Google puts it this way: AI integration "enables actors with limited resources to operate more effectively and at lower cost."

Anthropic is more direct: "Less experienced groups can now conduct large-scale attacks."

On the offensive side, state investments are accelerating. The US administration has allocated $1 billion for cyber operations with private contractors.

The National Security Council's cyber director speaks of "destigmatizing and normalizing" offensive use.

What regulation won't solve

Europe fell behind on NIS2. In May 2025, the Commission sent formal notices to 19 member states. France postponed its debates to 2026.

The delay is a symptom. Regulation enshrines the existing model: obligations focused on detection, patching, compliance. It optimises a paradigm that struggles against attacks adapting in real time.

Organisations waiting for regulation to act have already lost. Those who comply without questioning the model risk ticking boxes while attacks bypass them.

What this implies

I distinguish what the data shows from what I infer.

The data shows: well-equipped organisations are being compromised, AI automates complex attacks and adapts them in real time, the alert infrastructure is faltering, state investments favour offence.

I infer: the model predicated on detecting abnormal behaviour is losing effectiveness. Attackers can blend into legitimate traffic, adapt their code dynamically, operate faster than the patch cycle.

What remains uncertain: the precise timing of the tipping point, the emergence of alternative approaches, whether organisations can change before being forced to.

1987

Why wasn't it enough?

Because the deployed defences rest on an assumption: malicious behaviour is distinguishable from normal behaviour. This assumption dates from 1987. It underpins the entire detection industry.

Against malware that rewrites itself every hour, an agent operating at thousands of requests per second, an attacker generating commands dynamically — this assumption wavers.

The compromised organisations of 2025 didn't fail through negligence. They applied a model reaching its limits.

2026 will democratise the tools that made these attacks possible.

Alternatives exist: radical segmentation, architectures that limit propagation, approaches that accept the incident and focus on survival.

The terrain remains uncharted. That may be where it matters.

Sources

  • Microsoft Digital Defense Report 2025, October 2025
  • Google Threat Intelligence Group, "Advances in Threat Actor Usage of AI Tools", November 2025
  • Anthropic, "Disrupting the first reported AI-orchestrated cyber espionage campaign", November 2025
  • European Space Agency, official statement, 30 December 2025
  • UK Office for National Statistics, GDP estimates, November 2025
  • NIST NVD Status Updates, November 2025
  • MITRE CWE Top 25 Methodology, December 2025
  • VulnCheck, "State of Exploitation 1H 2025", July 2025; "October 2025 Research Highlights", October 2025
  • European Commission, NIS2 Transposition Status, May 2025

Initialement publié sur LinkedIn le 2026-01-02

More like this

Lord of Cyber War

Lord of Cyber War

The last American letter of marque dates back to 1812. Two centuries later, Congress considers reviving the instrument. To fight cybercrime, they say. The explanation does not hold. Something else is being prepared.
The Last Channel

The Last Channel

"The intelligence was genuine. That was the beauty of it." On January 7, the US withdrew from three cyber cooperation forums. On January 9, CISA closed ten Emergency Directives. Less like maturation than a constrained trade-off.
I Am Altering the Deal

I Am Altering the Deal

On January 7, 2026, the United States withdrew from the Hybrid CoE, the Freedom Online Coalition and the GFCE. Three Western cyber forums abandoned. European dependencies remain intact.