Outsmarting AI-powered cyber attacks: Endpoint defense for 2025

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More

Adversaries are unleashing new tradecraft to exploit any weakness they can find in endpoints, relying on generative AI (gen AI) to create new attack weapons of choice.

What’s troubling is how fast their arsenals are growing. That’s evident in the speed and scale of phishing campaigns, deepfake videos, and social engineering attacks. Over 67% of phishing attacks relied on AI last year, and 61% of security leaders are seeing phishing campaigns created at scale with AI chatbots attacking their organizations. Deloitte predicts deep fake-related losses will soar to $40 billion by 2027, growing at a 32% compound annual growth rate.

Cybersecurity teams who have successfully battled endpoint attacks tell VentureBeat it’s common for adversaries to perform reconnaissance months in advance of an attack to identify weaknesses in endpoints.  

All it takes is a quick phone call to the internal service desk for a password or MFA reset at the right time, and they’re in.

Endpoints facing an onslaught of new AI-based attacks 

Adversaries are prioritizing and fast-tracking attacks on endpoints using every available source of automation to scale their efforts, with gen AI and machine learning (ML) being the core attack technologies of choice.

Financial services, healthcare, manufacturing, distributors, and core businesses in complex supply chains are the primary targets. Creating chaos in a financial services supply chain is a ransomware multiplier.

“Because of the nature of our business, we face some of the most advanced and persistent cyber threats out there,” Katherine Mowen, The Rate Companies’ SVP of information security, told VentureBeat in a recent interview. “We saw others in the mortgage industry getting breached, so we needed to ensure it didn’t happen to us. I think that what we’re doing right now is fighting AI with AI.”

Adversaries’ AI-based weapons are getting so advanced that a breach could be going on for months without an organization’s security team seeing it. The average time it takes to identify and contain a breach is 277 days, with 176 days to recognize it and 82 days to contain it, based on IBM’s latest Cost of a Data Breach Report. Weaponized AI is making it harder for enterprises to close that gap.

“If you’ve got adversaries breaking out in two minutes, and it takes you a day to ingest data and another day to run a search, how can you possibly hope to keep up with an adversary like that?” Elia Zaitsev, chief technology officer at CrowdStrike, told VentureBeat recently.

One in three organizations doesn’t have a documented strategy for defending against AI and gen AI threats. Ivanti’s 2024 State of Cybersecurity Report found that 89% of CISOs and senior IT leaders believe AI-powered threats are just getting started.

The majority of security leaders, 60%, fear their organizations are not prepared to defend against AI-powered threats and attacks​. Ivanti’s research found that phishing, software vulnerabilities, ransomware attacks, and API-related vulnerabilities are the four most common threats. It’s no coincidence that these four methods are seeing their greatest gains from gen AI.   

Endpoint protection urgently needs more speed

“The adversary is getting faster, and leveraging AI technology is a part of that. Leveraging automation is also a part of that, but entering these new security domains is another significant factor, and that’s made not only modern attackers but also modern attack campaigns much quicker,” Zaitsev says.

Etay Maor, chief security strategist at Cato Networks, noted during a recent VentureBeat interview that Cato Networks is already seeing cases “where attackers are trying to circumvent AI-based systems by giving them prompt injections, or not necessarily prompt[s], but injecting information into the AI system and trying to convince it that what it’s looking at is not malicious, but rather benign.”

Maor continued, “We participate and monitor in different underground forums and see hundreds of AI applications popping up. I think organizations don’t realize what is happening on their network, and the big headache will be once we see the malicious ones slip through the cracks.”

“Every day we identify about one and a half million brand new attacks that have never been seen until now,” said Shailesh Rao, president of Palo Alto Networks’ Cortex division. “The attacks are becoming so sophisticated, the needle changes billions of times a day. Would you rather write rules or apply machine learning to all this data?”

Vasu Jakkal, corporate vice president, security, compliance and identity at Microsoft, painted an even starker picture in an interview with VentureBeat. “Three years back in 2021, we saw 567 identity-related attacks, which were password-related; that’s many attacks per second. Today, that number is 7,000 password attacks per second and over 1,500 tracked threat actors.”

Four areas where every endpoint provider needs to excel with AI in 2025  

Endpoint, identity, and multi-domain attacks are dominating the enterprise threatscape today, fueled in part by new tradecraft invented using gen AI.

Endpoint providers need to make progress on data ingestion, incident prioritization, automating triage and repose, and improvising attack path analysis. Leading endpoint providers delivering AI-based endpoint protection platforms include Cato Networks, Cisco, CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Trend Micro, and Zscaler, with CrowdStrike using AI and ML as core components of its strategy since its founding in 2011.

Here are four key areas every vendor needs to take action on this year:

Speeding up data ingestion and normalization: AI helps endpoint vendors quickly parse logs from endpoints, SaaS apps, and on-premise servers, mapping data to a universal schema. This has the potential to cut analysis time from days to minutes.

Improving incident identification and follow-on actions: AI-powered correlation engines sift through millions of alerts, narrowing them to a few high-value leads using time-series data, IOAs, and custom models to prioritize the most critical incidents.

Accelerating how the endpoint platform triages and responds to intrusion attempts: AI-driven tools assist with advanced searches, generate remediation scripts, and reduce manual forensics time from hours to minutes. Pre-built playbooks enable quick actions, such as isolating endpoints or blocking malicious IPs.

Enabling a more proactive posture and improving attack path analysis: AI identifies likely intrusion routes by combining threat intelligence, vulnerabilities, user permissions, and network data, and then recommends targeted fixes to block multiple attack paths.

A playbook for 2025: 12 must-dos to close the AI gaps in endpoint security

Battling AI attacks with AI needs to start at a more strategic level than it currently does in many organizations. It goes beyond overloading endpoints with yet another agent, or requiring users to authenticate across multiple identity management systems. AI needs to be at the very core of the cybersecurity stack.

The following 12 must-dos form a pragmatic playbook for 2025, covering the key technologies, processes, and cultural shifts necessary to close the widening gaps in endpoint security.

• SASE or SSE adoption: Adopt a converged SASE or SSE approach that blends zero trust with your network, endpoint, and identity data. Let AI monitor everything in real time so you don’t miss threats that siloed tools can’t see.
• Semantic data modeling for unified visibility: Standardize logs across the cloud, endpoints, and identity systems into one model. Let AI parse and normalize the data so your team gets the full picture fast.
• AI-based triage and playbooks: Use an XDR or similar system aligned with zero trust to reduce dwell times. AI-driven playbooks help orchestrate responses in minutes, not days.
• Signal-like engines for threat prioritization: Correlate data across your zero-trust architecture to catch stealthy threats. AI can help surface suspicious patterns so you can focus on real problems first.
• Identity threat prevention: Lean on zero-trust principles for real-time posture checks and privilege analytics. AI blocks attackers who try to pivot with stolen credentials or tokens.
• Proactive hardening via attack path analysis: Enforce zero trust from the start to limit lateral movement. AI pinpoints the fewest fixes that block multiple paths in one pass.
• Explainable AI and governance: Trace every AI-driven decision so your board and regulators trust it. Zero trust means no black boxes. Maintain visibility into AI’s logic.
• Use specialized AI over generic models: Train models on real attacker tactics within a zero-trust framework. You’ll see fewer false positives and more accurate detection.
• Continuous model tuning and dataset refreshes: Update AI models regularly to keep up with evolving threats. Zero trust is dynamic, so your data pipelines should be, too.
• Human-in-the-loop validation: Even with zero-trust automation, human insight matters. Analysts refine AI findings to catch nuanced threats and cut down on false alarms.
• Automated incident response orchestration: Integrate AI playbooks with zero-trust checks across endpoints, firewalls and identity. Once vetted, responses propagate instantly.
• End-to-end zero-trust integration: Verify at each step of the kill chain. Combining AI detection with strict access controls forces attackers to overcome fresh barriers at every turn.

Bottom Line