TL;DR: Cheap AI is collapsing attacker economics by compressing recon, exploit development, phishing, and command-and-control work to model speed and cent-per-million-token cost, according to Netwrix and cited industry research. The result is not the end of defense, but a shift toward predicting intent from behaviour before an identity or token is abused.
NHIMG editorial — based on content published by Netwrix: Mythos and the cost of attacking
Questions worth separating out
Q: How should security teams reduce the value of stolen credentials in fast-moving attacks?
A: Reduce the value of stolen credentials by narrowing scope, shortening session lifetime, and forcing re-validation when access patterns change.
Q: Why do cheap AI-driven attacks change IAM and PAM priorities?
A: They change priorities because attackers can test more paths in less time than defenders can manually review.
Q: What do security teams get wrong about access reviews in machine-speed attack scenarios?
A: They often assume review cadence alone will catch abuse.
Practitioner guidance
- Instrument identity-change to data-access correlation Join entitlement changes, privileged session activity, and first-time access to sensitive data in one detection path so suspicious combinations can trigger before exfiltration.
- Shorten token and session blast radius Reduce the operational value of a stolen token by narrowing scope, limiting session lifetime, and forcing re-validation for sensitive object access.
- Treat unusual access combinations as intent signals Escalate review when an identity touches a data class it has never accessed before, especially after a recent permission increase or role change.
What's in the full article
Netwrix's full article covers the operational detail this post intentionally leaves for the source:
- The historical framing behind cost-based defence and how the doctrine evolved over two decades.
- The specific examples cited from Anthropic, Mandiant, and Aisle that support the argument about AI-speed attacker iteration.
- The product and telemetry changes Netwrix describes across identity governance, privileged access, directory security, and DSPM.
- The detailed pattern Netwrix uses to distinguish permitted access from access that signals intent.
👉 Read Netwrix's analysis of how cheap AI is changing cyber defence economics →
Cheap intelligence and the identity controls attackers now test?
Explore further
Cheap intelligence exposes an identity governance timing problem, not just a detection problem. When attackers can probe, adapt, and retry at model speed, the defender’s access review cycle becomes too slow to influence the attack path. That means the limiting factor is no longer how many alerts you can see, but whether identity telemetry can trigger action before the attacker completes a second iteration. Practitioners need to treat time-to-decision as an identity control metric.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: Who should own response when identity behaviour suggests attacker intent?
A: Ownership should sit with the identity, SOC, and platform teams together, because the signal spans entitlements, telemetry, and containment. In practice, the fastest response is the one that can revoke access, isolate the session, and preserve evidence before the attacker completes the next iteration.
👉 Read our full editorial: Cheap intelligence is reshaping cyber defense economics