Still way too early to declare victory, but evidence that AI investments really do pay off is starting to mount. Recent data from Morgan Stanley, for example, suggests that organizations using AI for at least a year are seeing an 11.5% productivity increase on average.

Unfortunately for us, however, criminal organizations are seeing the same benefits.

“Threat actors are using AI and code-generation tools to move faster, speeding up reconnaissance, automating scripting tasks, and standardizing intrusion workflows so that a single operator can operate at much greater scale,” says Alessandro Di Carlo, a product manager at Malwarebytes unit ThreatDown.

The resulting impact is “game-changing”, adds his colleague Kendra Krause (pictured), who became general manager of ThreatDown last August. “We used to report on dwell times in terms of months,” she says. Now it’s more like days.

“It doesn’t take them long to get in, move laterally across the network, figure out what they need to do to encrypt, and set out ransomware or whatever they’re there to do,” Krause notes.

Indeed, in one instance documented in new research from Barracuda, it took a mere three hours for an Akira ransomware attack to go all the way from initial breach to encryption.

Bad enough, but it’s about to get much worse, because threat actors are beginning to take advantage of another productivity tool gaining popularity with legitimate businesses: AI agents.

“We are no longer just seeing humans assisted by AI, but AI agents acting as primary operators,” says Marco Giuliani, vice president and head of research at ThreatDown, adding that they do more than write code. “They manage the entire end-to-end attack stack.”

Or as ThreatDown’s recently published 2026 State of Malware report concisely puts it, “cybercrime has entered its machine-scale era”.

Which is why companies like Exabeam, JumpCloud, Rubrik, and Cisco are rolling out agentic security functionality at an accelerating clip, and companies including Palo Alto, CrowdStrike, and Proofpoint are buying agentic security vendors. ThreatDown, by contrast, sees good old-fashioned managed detection and response services staffed by good old-fashioned experts as a better countermeasure.

“I’ve seen some companies try and talk a little bit more about how they’re implementing AI to offset some of the AI-driven attacks,” Krause says. “I personally think we’ve seen more success where you have more of that human-led MDR. The intelligence that you get out of AI right now from that level of protection isn’t there yet.” As its competitors invest in agentic-specific features and acquisitions, therefore, ThreatDown will invest in expanding the capabilities of its MDR service instead.

“You’ll see us get more into identity and the X [in XDR] levels of MDR throughout this year, as that becomes more and more important,” Krause says.

Share

MCP exploits are no longer theoretical threats

Before we set AI security nightmares aside for the moment, let me feed you one more: Remember when Bitdefender warned us all a few months ago about the theoretical dangers posed by MCP, the wildly popular AI data-sharing protocol? Turns out they’re not so theoretical anymore.

“It’s allowing people to get in and see real, live data,” Krause says. “We’re all kind of relying on and trusting it a little more, and the attackers are finding ways to utilize that and get into networks much more easily than before.”

For example, Di Carlo notes, attackers are successfully using MCP to fool agents into querying internal systems and running administrative commands by sending them instructions through data sources they trust.

“In other cases, poorly secured MCP servers or overprivileged tool connections can allow an attacker to turn an AI agent into an automation layer for lateral movement, credential validation, or large-scale data collection,” he adds.

That MCP enables attacks like that isn’t what worries Di Carlo most, however. “The real issue is speed and scale, because MCP enables attackers to chain multiple actions together and execute them at machine speed, so familiar weaknesses suddenly have a much bigger impact.”

Ultimately, however, the real real issue isn’t MCP itself or even the threat actors exploiting it, because exploiting vulnerabilities is kind of what threat actors do for a living. It’s all the vendors and end users utilizing MCP without securing it properly.

“MCP itself isn’t inherently dangerous,” Di Carlo says, “but when it’s deployed without strong security controls, it can be abused in very practical ways.”