MSSP, Managed Security Services, MSP, Endpoint/Device Security, Security Staff Acquisition & Development, AI benefits/risks, Attack surface management, Cloud Security, Data Security, Network Security, Ransomware, SOC, MDR, XDR, Vulnerability Management

AI-Powered Cyberattacks Put MSSPs and SOC Teams Under Pressure

AI hacker holding a glowing red chip symbolizing artificial intelligence in cybercrime, darkweb, and digital technology threat for cybersecurity and malware protection.

CrowdStrike, in its 2026 Global Threat Report, found that the average cybercrime breakout time – the critical window between a threat actor’s initial breach of a system and when they move laterally to other systems, networks, or cloud environments – dropped to 29 minutes last year, a 65% year-over-year increase in speed.

The fastest breakout took all of 27 seconds.

Much of this is driven by AI and automation use by cybercriminals, prompting analysts to emphasize that “speed is now the defining characteristic of intrusion, and it has fundamentally reshaped how adversaries evade detection.”

Other researchers are also picking up accelerated AI-supported cyberattacks. In its 2026 Global Incident Response Report, Palo Alto Networks’ Unit 42 threat intelligence group said that attacks are four times faster year-over-year, with the time needed for bad actors to move from initial access to data exfiltration falling to 72 minutes.

“We’re seeing AI used in reconnaissance, phishing, scripting, and operational execution, which enables machine-like speed at scale,” the researchers wrote.

This is a challenge for any defender or security operations center (SOC), most of which are bringing AI into their environments in hopes of leveling the playing field. That’s also true of MSSPs, who can have dozens of clients that they’re responsible for protecting and already are struggling with everything from tool sprawl to ongoing struggles to find and keep skilled analysts.

'The Math No Longer Works'

“The math no longer works for human-only SOCs,” Christophe Briguet, AI and machine learning manager for Stellar Cyber, which offers an AI-driven extended detection and response (XDR) platform for MSSPs, told MSSP Alert. “If an attacker can exfiltrate in 72 minutes ... and your average MSSP triage time on a Tier-1 alert is 30 to 45 minutes, you've already lost before an analyst opens the ticket. The economics of human-only operations don't hold at this tempo.”

Briquet pointed to three trends contributing to the compressed timeline, including the fact that AI is collapsing attackers’ workflows. He noted how frontier models like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber can now read code, detect vulnerabilities, generate exploits, and chain them together at machine speed.

“The time from ‘I want in’ to ‘I have a working playbook’ has gone from weeks to hours, and even non-experts can operationalize techniques that used to require nation-state expertise,” he said.

Identities and Toolchains

The others are the shift by bad actors to targeting identity as the primary access point into victims’ systems – identity-led attacks are more difficult for traditional security systems to detect because they appear on the surface to be legitimate activity – and the industrialization of their toolchain, from initial access brokers to ransomware-as-a-service to, now, AI-as-a-service.

“Put those three together, and we see that 72 minutes is just a snapshot in time,” Brigquet said, warning that the timeframe will only shorten.

MSSPs Need AI and Automation

Automation is central to what MSSPs and security teams need to embrace, according to Briguet and others.

“Automation is key,” Kevin McGrail, cloud fellow and principal evangelist with Google Cloud security partner DitoWeb, told MSSP. "Humans cannot be the key to defense. You must be using automated response systems. You must be expecting compromised accounts.”

Briguet agreed, adding that “augmenting analyst productivity is no longer enough. We need to create entirely new units of productivity inside the SOC, a comprehensive, systematic analysis that no human team could ever produce, running continuously, 24/7, across every alert. That's the shift from human-in-the-loop to human-on-the-loop: humans supervising and steering the system rather than performing every triage step themselves.”

To enable this, MSSPs need to consolidate everything onto an integrated platform so that all the telemetry, a SOC collection – network, endpoint, and identity, for example – so the AI can get the full picture to reason over, he said. In addition, agentic AI needs to be embedded anywhere where saving time is crucial, from triage to investigation to evidence assembly. Such work done by Tier 1 analysts can take several hours; for AI agents, it’s minutes.

'This is a Margin Story'

This is an area that Jessica Davis, principal analyst in Omdia’s MSP practice, zeroed in on. The near-term use case for AI isn’t autonomous response but triaging alerts and prioritization. SOC analysts are overwhelmed by alerts, and it’s a problem created by scale rather than personnel.

“For MSSPs this is a margin story, not just a speed story,” Davis told MSSP Alert. “MSSP economics are labor-bound, and SOC analysts are expensive and hard to retain. If AI triage cuts analyst time per alert by 30 to 40 percent, that's either the capacity to take on more clients with the same team or room to move senior analyst time up the stack into hunting and IR work that commands a higher margin. The MSSPs getting this right don't just get faster. They restructure their cost base.”

MSSP AI Adoption

So, are MSSPs bringing AI and automation into their operations? According to Davis, large, sophisticated MSSPs and a “small leading tier” of managed detection and response (MDR) providers are.

“The broad middle is in the bolting-it-on phase, using the AI features their vendor platform ships without changing the service tier structure or pricing model, so the efficiency benefit shows up as analyst quality-of-life rather than margin expansion,” she said. “The middle tier is seeing efficiency gains captured by vendor licensing rather than flowing to MSSP margin.”

“The gap between using AI triage and having rebuilt the service tier around it is where differentiation will show up over the next two to three years,” Davis added.

DitoWeb’s McGrail said it’s difficult to know how quickly MSSPs are adopting AI because “everyone is throwing AI into the names of their products and losing credibility.” That said, AI is part of the answer, he added. Underlying good security is crucial.

Good Security Practices Matter

McGrail said that MSSPs also need to adopt other advanced security solutions, from zero-trust networks and context-aware access protection to multifactor authentication (MFA) to next-generation firewall (NGFW) with “Kipling Tuples,” a zero-trust policy model that includes six interrogative words coined by Rudyard Kipling in 1902 that can be used to govern access into a network.

That dovetails with a point made by Matt Bromiley, security engineer at Prophet Security, who argued in a blog post that while AI delivers speed and scale to threat actors, the tactics and techniques – reconnaissance, vulnerability exploitation, credential harvesting, lateral movement, and data exfiltration – have been around for decades and remain the same.

“These tools lower the barrier to entry for less sophisticated actors,” Bromiley wrote. “That’s the real concern; the talent floor for conducting effective attacks has dropped. But the attacks themselves follow established patterns. ... The delivery mechanism got easier. The kill chain didn't change.”

Demand for Outcomes

What has changed are client expectations, and MSSPs need to understand that, Cyber Stellar’s Briguet said.

“Customers are demanding outcomes, not effort,” he said. “MSSP buyers no longer want to hear about how many alerts were processed. They want mean-time-to-detect, mean-time-to-contain, and proof that their identity surface is actively monitored. The bar has moved.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.
Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds