AI scales cyber deception; defense needs truth at machine speed

What happened?

Artificial intelligence has democratized cyber deception. According to an analysis published by VentureBeat in collaboration with Splunk, attackers can now generate thousands of phishing emails, fake identities, and personalized pretexts in the time it takes a defender to complete a single change control cycle. The economics of attack have shifted dramatically: failure costs almost nothing, while defensive verification remains slow and expensive. This imbalance is unprecedented in the history of cybersecurity. Before generative AI, phishing attacks required manual effort: crafting convincing messages, creating fake domains, and cultivating victim trust took hours or days. Today, tools like GPT-4 or open-source models allow automating the entire process, from gathering public information to generating hyper-personalized emails. The Splunk report notes that the marginal cost of a successful attack has dropped to nearly zero, while the cost of defense remains high due to the need for human analysis and data correlation.

The core problem, the article argues, is not just detection but evidence: where data lives, whether it is available when needed, how quickly it can be correlated, how long it is retained, and whether analysts or AI agents can trust what they retrieve. Defense in the AI era is a data problem before it is a detection problem. Historically, cybersecurity has focused on improving detection models: malware signatures, SIEM rules, machine learning algorithms. But these models are only as good as the data they process. If data is fragmented in silos (network logs, identity records, endpoint telemetry, support tickets), any model, no matter how advanced, will stumble due to lack of context. A classic example is the 2020 SolarWinds attack: defenders had data but could not correlate it in time because it resided in separate systems with different retention policies. AI accelerates this problem by allowing attackers to exploit shorter time windows.

Why is it important?

The defender's advantage has always been truth: knowing quickly what happened, where, when, what identity was involved, what assets were affected, and what business process is at risk. But that truth must be documented, governed, auditable, and defensible. Attackers use AI to scale deception; defenders need AI to scale verification. The VentureBeat/Splunk report compares this dynamic to the evolution of cyber warfare: during the 2010s, the advantage lay in response speed (detection and containment times). Now, with AI, the advantage shifts toward data integrity and availability. Without a reliable data foundation, even the fastest response teams can make wrong decisions based on incomplete information. For example, a contractor account impersonation incident could be misinterpreted as an insider threat if endpoint activity logs and business context are missing.

The challenge intensifies with the arrival of AI assistants and agents. These systems can only reason about the information they retrieve in time. If data is partial, outdated, fragmented, or lacks context, AI does not create truth but accelerates uncertainty. A recent example is the use of AI assistants in Security Operations Centers (SOCs): if the agent only has access to network logs without identity data, it might misclassify legitimate access as malicious, generating false positives that overwhelm analysts. Conversely, if data is integrated and contextualized, AI can reduce Mean Time to Detect (MTTD) from days to minutes. According to Splunk, organizations that have implemented a unified data platform report a 40% reduction in incident investigation time.

Consequences and recommendations

The article proposes that the traditional logging system (SIEM, data lakes) must evolve into a defensive control plane that does four things:

• Preserve evidence: logs, metrics, traces, events, identity records, configuration changes, tickets, and business context. This implies longer retention policies and immutable storage to comply with regulations like GDPR or SOX.
• Reach data wherever it lives: not move everything to a single place, but query at source through data federation. This reduces storage costs and avoids duplication, but requires common access standards like OpenTelemetry.
• Add business context: link technical events to processes, owners, and risks. For example, access to a customer database should be correlated with the process owner and asset criticality level.
• Govern action: ensure any decision or response is explainable and trustworthy. This is crucial when AI agents execute automated responses, such as isolating an endpoint or revoking credentials. Without traceability, automated actions can cause collateral damage.

In practice, this means organizations must treat evidence as a critical asset, not a byproduct. AI does not reduce the need for authoritative logs; it raises the standard for what those logs must do. An example of successful implementation is a financial company that migrated from a traditional SIEM to a federated data architecture: it reduced incident correlation time from 4 hours to 15 minutes and decreased false positives by 30% by enriching logs with HR and asset management data.

“The goal is not just to act faster than the attacker. It is to take actions that people and machines can trust.” — VentureBeat/Splunk

This quote summarizes the paradigm shift: speed without trust is dangerous. Organizations that invest in robust data infrastructure will be better prepared for the next generation of AI-driven attacks, such as deepfake phishing or real-time impersonation attacks. Conversely, those that continue to rely on data silos and isolated detection models will fall behind.

What readers should know

Security teams must prioritize data integration, governance, and real-time correlation capabilities. Investing only in faster detection models will not suffice if the raw material (data) is fragmented. Truth at machine speed is the new defensive competitive advantage. Specifically, it is recommended to:

• Audit the current data architecture: identify silos, disparate retention policies, and missing context sources.
• Implement a data federation layer that enables real-time queries across multiple sources (logs, identity, cloud, endpoints).
• Establish a security data catalog with trust metadata, lineage, and business context.
• Train SOC teams in using AI assistants, ensuring underlying data is complete and reliable.
• Regularly test response capabilities with attack scenarios using generative AI to identify gaps in data integration.

In summary, the AI era in cybersecurity is not just a race for speed, but for truth. Those with the most complete, accessible, and contextualized data will have the advantage.