SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
260 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark server room ai cyber attack red network path spreading
#
Malware
#
Firewalls
#
Ransomware

AI-driven cyber attacks now breach networks in minutes

Thu, 26th Feb 2026
Author image
By Shannon Williams, News Editor

ReliaQuest reports that cyber attacks are accelerating, with threat actors now able to move laterally inside an organisation in as little as four minutes.

Its 2026 Annual Threat Report tracks activity observed during 2025 and compares it with 2024. The report finds that attackers are increasingly using artificial intelligence and automation to shorten the time needed to deepen access after gaining an initial foothold.

Lateral movement is the stage where an intruder spreads from one compromised system or account to others, often searching for privileged access and sensitive data. The fastest observed breakout time fell to four minutes-85% faster than the prior year, the report says.

On average, lateral movement took 34 minutes, down from 48 minutes in 2024-a 29% reduction.

Containment race

The report also sets out a benchmark for defenders. Organisations using AI and automation can contain threats within four minutes, it says, while manual efforts take up to 16 hours on average.

ReliaQuest frames the gap as a structural problem for incident response teams. Faster attacker movement leaves less time for human-led triage and decision-making and increases the likelihood that teams discover an incident only after an attacker has already expanded access.

Mike McPherson, senior vice president of GreyMatter Operations at ReliaQuest, said defenders need to adopt the same approach as attackers.

"AI and automation have changed the game in cybersecurity, allowing threat actors to move faster than any human alone can combat," McPherson said.
"Thankfully defenders can outperform adversaries with Agentic AI and achieve an average containment time of four minutes. This speed is essential to rival the breakout times observed this year-a race that manual response, at up to 16 hours on average without automation, cannot win. Agentic AI enables organizations to move to predictive security - by analyzing vast datasets of rich threat intelligence, agents can adapt this intel to a customer's unique environment and close gaps before a threat actor may attack," he said.

Faster data theft

Attackers have also reduced the time needed to steal data from compromised environments. The quickest exfiltration event observed in 2025 took six minutes; in 2024, the fastest comparable case took more than four hours.

The shift matters because exfiltration frequently precedes extortion and ransomware demands. Shorter windows reduce the chance that defenders can interrupt theft before data leaves the network.

Automation and AI are now common features of ransomware operations, according to the report. It found that 80% of the ransomware groups analysed used automation, AI, or both during attacks.

The fastest attacks were fully automated, with intruders using scripts alongside legitimate tools to move and extract data at machine speed.

Reconnaissance automation

AI use is not limited to activity inside networks. The report points to faster reconnaissance, where attackers gather intelligence on targets before launching a campaign.

Attackers are automating analysis of social media profiles, corporate websites, and public data sources to identify high-value individuals and business functions more quickly. It also says they can draft social engineering scripts faster, shrinking research that previously took days into hours or minutes.

Security teams have warned that the most damaging breaches often start with social engineering, including phishing and business email compromise. Faster target research can increase both the volume and specificity of lures sent to employees and contractors.

BoaLoader activity

The report highlights a malware strain called BoaLoader, which ReliaQuest says reflects a convergence of AI-assisted development, social engineering, and established cybercrime techniques.

BoaLoader emerged late in the year but still featured in nearly 20% of all incidents observed across the calendar year, ReliaQuest says.

The malware uses large language models to produce "clean, structured, and 'legitimate looking' JavaScript", the report says. The code can masquerade as functional software and appear as tools such as "PDF Editors" or "Recipe Listers". ReliaQuest says the approach can build user trust over time and remain on a network for months.

Once executed, BoaLoader can compromise email gateways, sandboxes, and some endpoint detections, according to the report. That combination can complicate early-stage detection and increase the chance that a user runs code that appears benign.

ReliaQuest sells its GreyMatter security operations platform, which it says uses agentic AI, along with a "Universal Translator" and "detection-at-source", to connect telemetry across cloud and on-premises systems. The company says it has more than 1,000 customers and operates across six global operating centres.

Related stories
In a cost-pressured AI race, operational maturity is now the competitive advantage
AI cyber threats outpace staff readiness, report warns
UK AI budgets shift to data infrastructure & storage
Teramind launches AI governance to tackle shadow AI
Red Hat, Nvidia, Palo Alto forge AI-native telco stack

Top stories

Autonomous AI 'agentic customers' set to reshape banks
How women in cyber change the conversation at board level
The weight women carry
Preserving our voice: Why women must shape the future of AI and cybersecurity
Bridging the gap: Cybersecurity breakthroughs and imbalances