Cisco Talos: 5 priorities to spot AI-driven attacks

Cisco Talos published an April 2026 Year in Review and incident response report listing five priorities for defenders to detect AI-driven attacks. The guidance responds to attackers using AI and automation to scale exploits and credential abuse.

The report finds the barrier to entry for attackers is shrinking as AI and low‑code tools let adversaries create phishing pages, exploit proof‑of‑concept code and set up capture infrastructure in hours instead of months. Talos pointed to rapid weaponization of vulnerabilities such as React2Shell and ToolShell and noted that older flaws, including Log4Shell, remain exploited years after disclosure. The report shows device compromise incidents rose 178% year over year and that nearly 40% of the top 100 most targeted vulnerabilities affect end‑of‑life systems, with 32% older than a decade.

The first priority is identity. The report documents frequent use of valid accounts and credential abuse across attack chains. Techniques include MFA spray attacks, registering attacker‑owned devices as authentication methods, and exploiting VPNs, Active Directory controllers and firewalls to steal session tokens or bypass multi‑factor controls. The report recommends treating identity and privileged access management as top‑tier protection, tightening MFA device registration, enforcing rate limits and applying conditional access to reduce automated abuse.

The second priority is prioritizing vulnerabilities that are exposed and reachable. The report advises ranking fixes by internet exposure and by their impact on access and session handling rather than by CVSS score alone. It calls for shortening time‑to‑patch for externally accessible systems and for continuous reassessment of what is reachable from the internet. The report notes attackers often target weaknesses closest to session logic and access controls and can weaponize newly disclosed bugs almost immediately.

The third priority covers legacy and embedded risk. Talos identifies many targeted flaws in legacy frameworks and embedded components such as old PHP libraries, ColdFusion and logging frameworks. These components are often poorly inventoried and tightly coupled to business systems, which makes them hard to patch or replace. The report recommends improving visibility into software dependencies, treating frameworks and libraries as part of the attack surface, and planning to isolate or retire long‑running systems.

The fourth priority is securing systems that broker trust, including network management platforms, application delivery controllers and shared control‑plane software. The report states attackers focus on these platforms because they store credentials, control configurations across many devices and can be used to make broad changes. It recommends identifying management‑plane systems, applying stronger monitoring and access controls, limiting administrative privileges and enforcing network segmentation.

The fifth priority is maintaining pattern‑based detection as automation and AI increase. The report finds automated attacks still produce repeatable patterns such as reused infrastructure, recurring toolsets and predictable sequences of activity. It advises developing high‑fidelity detections for unusual authentication flows, abnormal system access and anomalous device registration, reducing alert fatigue by narrowing alerts to meaningful signals, and using automation for triage while keeping human analysts in the decision loop.

The report adds that attackers often reuse the same vulnerabilities, tools and techniques and do not behave like legitimate users. It presents behavior and pattern analysis as a detection approach when adversaries obtain valid credentials or move rapidly through networks.