The clock just got a lot shorter
Last month the Five Eyes cyber agencies (US, UK, Australia, Canada, New Zealand) put out a joint statement that a lot of people skimmed past. The headline was that AI-powered attacks are months away, not years. The number underneath it is the part worth stopping on. Security firms tracked a 340% jump in AI-driven attacks across 2026, and attackers are now moving from first access to stealing data in under 72 minutes.
Seventy-two minutes. That is shorter than most teams' on-call acknowledgement window on a bad night.
The warning itself is not the interesting bit. Spy agencies warn about things for a living. What matters for anyone building or running software is the shape of the threat. Autonomous attackers can chain exploits together, adapt to the defenses they hit in real time, and scale past what a human team could ever run. The attack loop just got automated. Most defensive loops did not.
Why speed breaks your current playbook
Most incident response runbooks quietly assume a human pace of attack. Recon over days. Lateral movement over hours. A comfortable window where someone notices something odd, pings a channel, and starts asking questions.
Automated attackers collapse that window. They do not sleep, they do not lose focus, and they do not wait for business hours. If your detection-to-response loop is measured in hours and the attacker's is measured in minutes, the outcome is already decided. That is not a tooling problem. It is a loop-length problem, and you fix it by shortening your own loop, not by buying another dashboard.
What actually helps
The Five Eyes guidance was deliberately boring: patch old systems, fix faulty software, limit who can reach critical systems. Boring is correct here. A few things that move the needle:
- Kill the patch backlog. Automated attackers scan for known CVEs at machine speed. An unpatched known vulnerability used to be a someday risk. Now it is a same-day one. Treat your patch queue like a production incident, because it is one waiting to happen.
- Cut standing access. Every long-lived credential and always-on admin session is blast radius. Short-lived tokens and least privilege mean a 72-minute breach reaches far less.
- Automate the boring half of response. If a human has to be paged, read logs, and decide before anything can happen, you have already lost the race. Pre-approve containment for known-bad signatures so isolation happens in seconds, not after a war room spins up.
- Put AI on the defensive side too. The same speed that helps attackers helps defenders. Behavioral detection that flags unusual access patterns early is one of the few things that keeps pace with an automated attack.
Build for the 72-minute world
The uncomfortable truth is that a lot of security architecture was designed for an attacker who thinks and moves like a person. That attacker is being replaced by one that moves at software speed. You do not need to panic. You need to assume the window is minutes, and design your detection, access, and response around that assumption instead of hoping the old timelines hold.
We are here to help founders and teams design and build digital products that are built to scale with you, not slow you down. If you're looking to build something, get in contact with us today!