← Blog

Defensive vs offensive security: AI in threat detection and prevention

11 jun 2026

Cybersecurity has been a cat-and-mouse game since 1995.

Humans write firewall rule. Hacker bypasses. Creates new rule. Hacker adapts.

It's reaction against action. Defense always behind.

AI changes this dynamic. It's not "react" anymore — it's anticipate.

The Reality: Traditional Defense Fails

Your SIEM (Security Information and Event Management) generates 10,000+ events/day. Human analyst can review maybe 100.

The rest? Invisible.

That's where hackers hide.

Examples of Attacks That Go Undetected

  1. Slow Lateral Movement

    • Hacker enters server A
    • Each day, tries accessing 1 different server
    • 30 days later: access to 30 servers
    • Detection rate with simple rules: 0%

  2. Data Exfiltration in Small Doses

    • 1GB of data = obvious anomaly
    • 100MB/hour for 10 hours = can slip through

  3. Credential Compromise

    • Hacker steals password
    • Waits 2 weeks
    • Accesses with legitimate credential at normal time
    • System sees normal login, not attack

AI in Security: Offensive Approach

While you defend, hacker attacks. AI accelerates defense.

1. Anomalous User Behavior

Traditional:

IF login_time > 22:00 THEN alert("Nighttime login")

Problem: legitimate employee works at night.

AI:

User X history:
- Always logs 9am-6pm
- Always from corporate IP
- Accesses 5-10 resources/day

Anomalous event:
- Logged 3am (never done this)
- From residential IP in China (never)
- Accessed 500 resources in 5 min (never)

Anomaly score: 0.98 (alert threshold)
Action: Automatic MFA challenge / temporary account lock

Gain: Detects compromised credentials in minutes

2. Threat Intelligence + ML

It's not just your logs. It's ecosystem knowledge:

  • What malware is active now?
  • What exploit was discovered yesterday?
  • What IP range was identified as C&C (command and control)?

AI: Correlates external intelligence with your events

Local event: outbound connection to IP X.X.X.X port 443
Threat intelligence: IP X.X.X.X was seen in Emotet botnet yesterday
Auto-correlation: "Your server may be compromised with Emotet"
Action: Immediate network isolation, malware scan

3. Attack Pattern Detection (Kill Chain)

Attack is rarely a single act. It's a sequence:

1. Reconnaissance (scanning)
2. Initial access (exploitation)
3. Persistence (backdoor)
4. Privilege escalation
5. Lateral movement
6. Data exfiltration

AI can detect the chain:

Day 1: Port scan detected (normal, ignored)
Day 2: Exploit attempted (suspicious)
Day 3: New process executed as admin (suspicious)
Day 4: Access to 10 different servers (suspicious)
Day 5: Large volume outbound data (alert!)

AI connects the dots: "This is kill chain. Confidence: 0.95. Risk: CRITICAL"
Human: "Confirmed. Isolate entire subnet now"

Architecture: Defense + Attack

Layer 1: Perimeter Security

Responsible for: Block the obvious

  • Firewall, WAF (Web Application Firewall)
  • DDoS mitigation
  • Bot detection
  • Intrusion Detection System (IDS)

AI here: Learn pattern of legitimate vs malicious traffic

Traditional firewall:

BLOCK port 4444 (known malicious)

AI-powered firewall:

If traffic pattern on port 4444 matches 95% of Mirai botnet?
BLOCK, even if never seen before

Layer 2: Identity Security

Responsible for: Who's accessing and are they who they claim?

  • MFA (Multi-Factor Authentication)
  • UEBA (User and Entity Behavior Analytics)
  • Risk-based access

AI here: Learn pattern of each user/system

Example:

Jenkins pipeline normally pulls code from GitHub
Today: Jenkins trying to access HR database

Risk score: HIGH
Auto action: Block access, notify DevSecOps
Possible cause: Jenkins compromised, hacker trying to steal employee data

Layer 3: Insider Threat Detection

Responsible for: Stop those already inside trying to steal

  • Data access monitoring
  • Anomalous privilege usage detection
  • Data loss prevention (DLP)

AI here: Learn pattern of legitimate access

Example:

Dev X always pulls code from main repo
Today: Dev X downloading entire database dump (50GB)

History: never done this in 2 years
Context: leaving company next week?

AI score: HIGH insider threat
Action: Alert to InfoSec, possible investigation

Layer 4: Automated Response

Responsible for: Act fast

Some responses are safe enough to be automatic:

Low-risk:

  • Block malicious IP
  • Terminate suspicious session
  • Reset credential
  • Disable account

Medium-risk:

  • Network isolation of compromised server
  • Kill suspicious process
  • Rollback config change

High-risk (Human always):

  • Restore from backup (may be old)
  • Shutdown server (data loss)
  • Forensics (destroying evidence if automatic)

Example: Ransomware Detected Before Encryption

Scenario: Ransomware enters datacenter

Traditional defense:

  1. File encrypted → backup detects corruption
  2. Admins wake up (if nighttime)
  3. Isolate server → damage already done
  4. Recovery: hours to days
  5. Data loss: significant

With AI:

  1. New process (ransomware) starts encrypting
  2. Anomalous I/O pattern: writes 100x more "random data" than normal
  3. Accesses files in critical directory it never accesses
  4. AI: "This is ransomware with 0.99 confidence"
  5. Auto action: network isolation + process kill
  6. Total time: 2 minutes
  7. Data loss: 0.5% (from 2 min before isolation)

Implementation: 6 Months

Months 1-2: Baseline + Instrumentation

  • Deploy SIEM/EDR (Endpoint Detection and Response)
  • Centralize logs (all systems)
  • Integrate threat intelligence feeds
  • Create ground truth: "What events are anomalies?"

Month 3: ML for Behavior

  • Train user anomaly model
  • Train system anomaly model
  • Validate with security team

Month 4: Threat Intelligence

  • Integrate external malware/IP feeds
  • Auto-correlation with internal events
  • A/B testing: traditional alerts vs ML

Months 5-6: Automated Response

  • Implement low-risk playbooks
  • Response orchestration
  • Incident testing (red team vs blue team)

Risks: AI in Security Also Has Them

1. Adversarial Attacks

Hacker learns your detection model and tries to fool it:

Model detects pattern A = ransomware
Hacker: "I'll do the same, but randomize timing to not match pattern A"
Result: new ransomware type not detected

Defense: Defensive ML, ensemble of models, drift monitoring

2. False Positives at Scale

If model detects 1000 anomalies/day but 90% are false positives:

  • Operator ignores alerts (alert fatigue)
  • Real threat passes unnoticed

Defense: Rigorous tuning, calibrated threshold, business context

3. AI Dependency

If security system is 100% AI-driven:

  • Attack on model? Entire security falls
  • Systematic error? Affects everything at once

Defense: Defense in depth, multiple layers, human review for critical decisions

Conclusion

AI in security isn't "nice to have". It's necessary.

Adversaries use AI to sophisticate attacks. Your defense needs to be equally sophisticated.

Start with detection: where are your blind spots? Implement AI there.

Then scale to prediction and automated response.

Your datacenter is a target. Defend it right.

cybersecurity #threat-intelligence #ai-security

Recibe las publicaciones

Nuevos artículos sobre IA, Vibe Code y Builder Code — por correo o Telegram.

o
Recibir en Telegram

Al suscribirte, aceptas recibir correos/mensajes y la Política de Privacidad. Puedes cancelar cuando quieras. Sin spam.