New research shows a growing divide between AI-augmented attackers and experienced threat actors, with important implications for enterprise security.
If you spend a few minutes reading post-RSA coverage or current industry commentary, you will see a consistent theme. Attackers are using AI and as a result, everything is getting faster, more scalable and harder to defend against. While this may be correct, it is not the full story. What is actually happening inside the cybercrime ecosystem is more uneven and, in some ways, more important to understand.
AI is not changing all cyber attackers in the same way. Instead, it is creating a divide between two distinct types of threat actors, each with different capabilities and operating models. It is important for organizations to recognize this distinction as they prioritize risk and make informed security investments.
The rise of the AI-augmented attacker
On one side of this divide are the AI-augmented attackers. These actors are often less experienced but are able to use AI tools to accelerate tasks that previously required technical depth. They can write scripts, modify existing tools and build basic attack infrastructure very quickly using large language models.
Data from the 2026 State of the Underground Ecosystem report highlights how widespread this behavior has become within certain communities. Among users in more technical forums such as Cracked, a community focused on account cracking and tool development, nearly 48% were found to be using tools like ChatGPT in parallel with their activity. This level of adoption points to a significant shift in how tools are developed and used in practice.
This trend is often referred to as “vibe coding,” where actors rely on AI to generate functional outputs without fully understanding the underlying logic. The result is not necessarily more advanced techniques, but a significant increase in speed and scale. More individuals can now participate in activities that were previously limited to those with stronger technical backgrounds, which in turn increases the overall volume of attacks.
At the same time, more experienced threat actors are not adopting AI in the same way. The same report shows that only about 12% of users on BreachForums, a marketplace for buying and selling breached data, are using AI tools.
This group operates differently. Their work is less about building tools and more about acquiring, monetizing and leveraging access to data. This includes negotiating ransomware payments, trading breached datasets and managing relationships within underground marketplaces. They rely on experience and positioning rather than automation.
As a result, these actors are not dependent on AI to carry out their operations. They rely on precision, access and an understanding of how to extract value from compromised assets. While they may generate less volume, the impact of their activity is often significantly higher.
Why this divide matters
Treating all AI-related threats as the same overlooks what is actually happening. These two groups create very different types of risk and they should not be approached in the same way.
AI-augmented attackers introduce scale. By lowering the barrier to entry, AI enables a broader set of actors to launch attacks, test techniques and iterate quickly. This increases noise across the environment and puts pressure on detection and response systems.
More experienced actors introduce concentration of risk. They are more selective in their targets and more deliberate in their actions. Their operations are often tied to higher-value outcomes, which makes them less visible but potentially more damaging. The bigger issue is not just that attackers are becoming more advanced. It is that there are more of them, and they are not all operating in the same way. Treating these threats as one category can lead teams to focus on the wrong priorities.
This divide is also reflected in how underground ecosystems are evolving. According to the report, these forums collectively generated approximately 2.5 million visits in a single month, with a significant portion of activity driven by younger users entering the space. One in three participants falls within the 18 to 24 age range, with earlier entry points emerging through gaming communities and related channels.
We see this same split playing out across the underground itself. Some communities are heavily focused on building and refining tools, where AI is used to speed up development and testing. Others function more like marketplaces, where the focus is on buying and selling data, access and services. In those environments, reputation and relationships still matter more than automation.
The most important takeaway is that AI is changing who can participate in cybercrime and how quickly they can operate.
Security teams need to be prepared for both the increase in volume and the more targeted attacks. Increased automation and accessibility will continue to drive higher volumes of activity, requiring stronger detection, prioritization and response capabilities. At the same time, experienced actors will continue to focus on targeted, high-value operations that demand visibility into access, behavior and intent. Organizations that treat AI-driven threats as a single, uniform category risk missing both ends of this spectrum. Those that recognize the divide will be better positioned to manage both the scale and the impact of modern attacks.
Arik Atar is a senior threat intelligence researcher at Radware, specializing in identifying vulnerabilities, mitigating attacks, and analyzing threat actor behavior. He previously held roles at PerimeterX and Bright Data, focusing on bot attacks, DDoS, and underground cybercrime ecosystems. Arik has spoken at conferences including DEF CON and APIParis and studied counterterrorism and international relations at IDC University.
