Today’s Cyber Risk Is the Industrialization of Known Weaknesses

Cybersecurity has long been framed as an arms race driven by increasingly sophisticated attacks. But that framing is increasingly outdated. The reality emerging from the front line is more uncomfortable: Today’s cyber risk is defined less by breakthrough innovation and more by the industrialization of existing weaknesses.

The first shift is scale. Attackers do not need zero-day exploits or cutting-edge techniques to breach organizations. There remains a vast inventory of basic vulnerabilities; poor identity controls, weak authentication processes, misconfigurations and human susceptibility to social engineering. What has changed is the speed and volume at which these weaknesses are exploited. Automation and artificial intelligence (AI) are enabling attackers to identify, chain and execute attacks continuously, at a pace that outstrips most organizations’ ability to respond. This is not elite hacking; it is the mass production of cyber intrusion.

The second shift is the role of AI. Much of the public debate has focused on AI as a source of new, existential cyber threats. In practice, its more immediate impact is to compress the gap between capability and access. Tools that once required significant expertise are becoming easier to use, cheaper to deploy and more widely available. Developments such as DeepSeek underline how quickly advanced capabilities can be replicated outside traditional centres of technological control. For attackers, AI is a force multiplier - accelerating everything from vulnerability discovery to exploit development and scripting.

Crucially, this extends beyond systems to people. AI allows threat actors to aggregate fragmented data, such as public records, breached credentials, social media, into highly targeted profiles. The result is a step change in the effectiveness of social engineering, fraud and extortion, particularly against senior executives and high-value individuals. The attack surface is no longer just the network; it is the individual.

The third shift is where attackers are focusing their efforts: identity. Breaches are often not the result of perimeter failure but of identity compromise. Residential proxy networks allow attackers to mask their activity behind legitimate-looking IP addresses, blending seamlessly into normal user behavior. This makes detection harder and enables large-scale credential abuse, from password spraying to session hijacking.

Yet even this understates the problem. One of the most overlooked vulnerabilities in modern organizations is the proliferation of non-human identities: machine-to-machine accounts, APIs and service credentials embedded deep within systems. These often carry significant privileges, are rarely monitored with the same rigor as human users and frequently persist even after an incident response resets employee credentials. In effect, they can act as a durable backdoor.

Taken together, these trends point to a clear conclusion. Cybersecurity is no longer primarily a contest of technical sophistication. It is a problem of scale, visibility and discipline. The challenge for organizations is not simply to defend against the unknown, but to address the known systematically, relentlessly and at speed.

Until that happens, attackers will continue to win not because they are more innovative, but because they are better at exploiting what is already there.

 

How Kroll Can Help

Advancements in frontier AI models are rapidly uncovering dormant vulnerabilities across technologies widely deployed in enterprise environments. AI assisted discovery increases both the speed and volume of findings, shrinking the window between vulnerability identification, weaponization and real-world exploitation.

This shift exposes not only individual security weaknesses, but systemic risk across interconnected technology estates, third parties, cloud environments and critical service providers. It accelerates the need for threat-informed prioritization, coordinated remediation and defensible governance, a challenge Kroll addresses in collaboration with CrowdStrike’s Project QuiltWorks.

Beyond managing the cyber threat, broader risk mitigation should be taking place, including considering governance and compliance requirements, financial risk modelling and broader valuation implications. In an environment where AI is changing the economics and velocity of exploitation, organizations need a clear view of which exposures matter most, what they could cost, and how quickly they can be reduced.

Kroll is uniquely positioned to help institutions understand not only what is vulnerable, but what is material; bringing together cyber, valuation, risk, investigations and regulatory expertise to prioritize action, quantify exposure and support defensible decisions in a rapidly changing threat environment.