TL;DR: AI-assisted attackers are using LLMs and public hacking tools to scan, exploit, and exfiltrate credentials at machine speed, according to Defakto Security. Static secrets and long-lived credentials become easier to steal and harder to defend once attack workflows can scale automatically.
NHIMG editorial — based on content published by Defakto Security: AI attack automation is here, and it’s coming for your credentials
Questions worth separating out
Q: What breaks when attackers can automate credential theft with AI?
A: The main failure is timing.
Q: Why do long-lived secrets increase identity risk in cloud and SaaS environments?
A: Long-lived secrets remain reusable until someone revokes them, which gives attackers a durable target.
Q: How do security teams know whether secret management is actually reducing risk?
A: Look for fewer reusable credentials, shorter credential lifetimes, and a lower number of systems that still depend on manually rotated secrets.
Practitioner guidance
- Eliminate reusable credentials where workloads can prove identity Replace static API keys and long-lived tokens with short-lived, dynamically issued credentials tied to workload identity.
- Map where secret exposure becomes immediate access Identify the repositories, CI/CD paths, and cloud services where a leaked secret can be used before rotation processes complete.
- Rework lifecycle controls for machine-speed misuse Align secret revocation, entitlement review, and offboarding so they operate on the same timeline as automated discovery and abuse.
What's in the full article
Defakto Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The article’s discussion of how attackers combine Claude with public hacking tools to automate credential hunting across environments.
- The vendor’s reasoning on why scanning and rotation alone do not eliminate the underlying attack target.
- The explanation of how short-lived, dynamically issued credentials change the economics of both offense and defense.
- The closing section on where organisations should begin when replacing long-lived secrets with non-human identity.
👉 Read Defakto Security's analysis of AI attack automation and credential theft →
AI attack automation and static secrets: are your controls keeping up?
Explore further
Static secrets are now a scaling liability, not a convenience. The old trade-off assumed that keeping credentials in place was acceptable if teams could eventually find and rotate them. That assumption fails once attack automation can discover and test credentials faster than humans can respond. The implication is that the security model has to stop treating long-lived secrets as a manageable asset.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Should organisations prioritize workload identity over secret rotation?
A: Yes, when the workload can authenticate without a persistent secret. Rotation still helps in legacy paths, but it does not solve the core problem if the credential remains reusable and stealable. Workload identity changes the control objective by removing the secret as the primary attack target.
👉 Read our full editorial: AI attack automation is exposing the limits of static credentials