In a modern version of Spy vs. Spy, both security teams and cyber criminals are going “all in” on AI. By incorporating a proven threat-intelligence framework, organizations better position themselves to win the war while boosting return on investment (ROI) and business resilience.
By now, cybersecurity teams fully realize that going into battle without artificial intelligence (AI) tools will leave them at a severe disadvantage, which is why they’re arming themselves accordingly: More than three-quarters of organizations have adopted AI for cyber defense purposes, as they seek to enhance their detection and response to phishing, email, intrusion and insider threats.
Security operations teams are also turning to AI solutions to automate security tasks and workflows, boosting threat-intelligence efforts. In doing so, they lower costs while increasing efficiencies in the following ways:
- Leveraging the AI analysis of threat logs for faster and more reliable predictive decision-making, as well as being able to infer and summarize large data sets, is critical to respond quickly to ongoing security incidents
- Using AI for context, teams must understand that AI is only as good as its training data, and humans must be in the loop to make the crucial decisions
- Identifying connections between threat intelligence and existing data in defense platforms
The impact of these advancements cannot be understated. AI’s outputs establish the context required to enrich intelligence/security data, leading to more informed decisions. They provide suggested exclusions and enrichments to decrease noise and false positives. They augment and/or even create entirely new threat-hunting playbooks by learning from past incidents. They take deep dives into the data and come out with valuable context regarding frequency, relevance and historical patterns – immediately improving prioritization processes. However, everything produced by AI should still be validated before final decisions are made, as their outputs may look right but often fabricate responses to validate the original inputs.
How does AI bring ROI and business-resilience benefits?
The upshot: Security teams deploying AI and automation reduce breach times by 80 days, while lowering average breach costs by $1.9 million compared to those that don’t, according to IBM’s 2025 Cost of a Data Breach Report.
Such benefits signify the ROI/business-resilience advantages of AI in cyber defense. And they have emerged more as a necessity than a luxury now, because adversaries are weaponizing AI themselves in large numbers. In fact, 74 percent of cybersecurity professionals say AI-powered threats pose major challenges for their organization, and 90 percent expect these threats to make a “significant” impact over the next one to two years.
It’s a classic case of an AI arms race, taking on Spy vs. Spy proportions: In one recent incident, the AI company Anthropic reported that cybercriminals have exploited its Claude/Claude Code products to conduct large-scale extortion attempts, employment fraud, and ransomware sales. In one extortion scheme, an attack targeted 17 organizations – including those in the healthcare, emergency services, government and religious sectors – to steal information and then threaten to expose the data to the public in order to try to extort the victims into paying ransoms exceeding $500,000 in certain cases. To note, while the industry is seeing AI being leveraged by threat actors to automate workflows and malicious playbooks, it has not been reported that there have been any attacks that are completely hands-off.
A proven plan for threat intelligence
So, how can cybersecurity teams counter this level of AI-enabled attacks? By adopting what’s called the “Targeted Hunting integrating Threat Intelligence” (TaHiTI) framework to superpower their own deployment of AI, with the following three steps:
Initiate. Take advantage of proactive and reactive hunt triggers to reveal new insights about the tactics, techniques, and procedures (TTPs) of potential attackers, along with intelligence about other hunts, security monitoring alerts, incident response and red team activities. MITRE ATT&CK resources for TTP-based threat hunting and detection-engineering training bring value here.
Hunt. Define, refine and enrich hunt hypotheses with contextual threat intelligence and define data sources, analysis techniques, querying and clustering. After analyzing returned data from a hunt query, refine a hypothesis with additional queries and exclusions before validation.
Finalize. Document hunt results and conclusions in tactical, operational and strategic reporting, to prioritize future hunts and ensure repeatability. Reports should include recommended mitigations to improve preventative measures, logging and security monitoring, along with processes such as vulnerability and configuration management. Hand off new hunt outputs to team members overseeing detection engineering, incident monitoring/response, threat intelligence, vulnerability management, etc.
AI cannot serve as a replacement for threat-hunting professionals. But it can perform as an added – and vital – team member that can do the legwork of providing the telemetry data required to detect threats. This enables teams to focus on more critical issues and actually solve them before an attack, further enhancing the ROI/business-resilience factor.
What’s more, AI will find the context, which is often difficult to see in a timely manner, but proves essential today. Again, this technology isn’t ready to lead an incident response or hunt. But it will greatly help teams gain a better understanding of a specific threat, and take control of it … That will turn small wins into major victories in the ongoing AI arms race.
