TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit by Jai Vijayan Mar 24, 2026 5 Min Read Application Security How AI Coding Tools Crushed the Endpoint Security Fortress How AI Coding Tools Crushed the Endpoint Security Fortress by Rob Wright Mar 24, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Cyberattacks & Data Breaches Cybersecurity Operations News SANS: Top 5 Most Dangerous New Attack Techniques to Watch For the first time, SANS Institute's five top attack techniques all have one thing in common – AI. Becky Bracken , Senior Editor , Dark Reading March 25, 2026 6 Min Read Source: Phitoon Promkunpitak via Alamy Stock Photo RSAC 2026 CONFERENCE – San Francisco – Each year SANS researchers head to the RSAC Conference to reveal the five top attack techniques. But 2026 marks a distinct shift: all are powered by artificial intelligence. “We would be lying to you if we pointed out a trend in attacks that did not involve AI,” SANS president and presentation moderator Ed Skoudis explained to the audience during a keynote session covering the Top 5. “That is just where we are in the industry.” Attack Technique #1: AI-Generated Zero Days, From Scarcity to Surplus Zero-day exploits used to belong solely to well-funded nation-state actors stacked with sophisticated researchers. But that barrier to entry into the zero-day game has been shattered by AI, according to Joshua Wright, faculty fellow and senior technical director of the SANS Institute. In fact, Wright points out that independent researchers have discovered AI zero days in widely deployed production software that run attackers as little as $116 in AI token costs; quite a savings of the millions of dollars more sophisticated actors had been previously investing in finding these zero days. Related: Iran Hacktivists Make Noise but Have Little Impact on War “Attackers were already faster than us,” Wright said. “AI has made the gap unbridgeable at our current pace." It’s up to organizations to get faster to keep up, adding that can be achieved with accelerated patching, automation, and AI-powered defense tools, Wright advised. Attack Technique #2: Supply Chain Risks, Your Vendor's Vendor's Vendor Two out of three organizations were affected by a software supply chain attack over the past year, and there’s also been a surge in third-party involvement in breaches, and the number of malicious packages published to open source registries, Wright said. He pointed out that the Shai-Hulud worm has infected more than a thousand open source packages and exposed 14,000 credentials across 487 organizations. Likewise, a China-affiliated group compromised the Notepad++ update infrastructure for six months, selectively delivering backdoors to targets in the energy, finance, government, and manufacturing sectors. "Your attack surface is not the software you chose. It is the entire ecosystem of suppliers behind it,” Wright said. It’s smart to plan for the next supply chain compromise before it happens, he advised. To adapt, organizations should plan for supplier compromise before it occurs, by demanding not just a list of materials, but verifiable proof of how software the was built, he said. Also, organizations should consider every update channel and developer tool their teams depend on daily as a potential supply chain risk. Related: How a Large Bank Uses AI Digital Twins for Threat Hunting Attack Technique #3: OT Complexity & Root Cause Crisis Robert Lee, SANS Institute fellow and CEO/founder of Dragos, explained that his deep experience gained over years working on OT incident response has helped him recognize what he called a "growing accountability crisis." Network activity and other critical evidence following an OT compromise is often not available -- the data often simply evaporates, Lee warned. A good example of this sort of logging risk was a December 2025 attack on Poland's distributed energy resources that Dragos worked on, Lee explained. Investigators were able to confirm disruption had occurred, but there was no visibility into what the threat actor was doing inside the systems following the breach because of a lack of OT monitoring in place. In another instance, a state-level threat actor with intent to destroy equipment and "kill people" had been targeting a facility that had no visibility into their infrastructure, he said, without naming the victim. A month later, the facility exploded. Chillingly, investigators still don’t know if the destruction came from an attack or was simply an accident, Lee said. Related: Cyber OpSec Fail: Beast Gang Exposes Ransomware Server "Governments are not going to be comfortable not knowing what happened in their critical infrastructure and why someone died,” Lee said. “That scenario is unacceptable, and it is already happening." Making matters worse, agentic AI is already in OT environments, he added, and organizations need to catch up and gain more visibility into these systems. He warns that the investment in added visibility into OT systems cannot wait until the next catastrophe forces the issue. Attack Technique #4: The Dark Side of AI, Irresponsible Use in Digital Forensics & Incident Response As one of the world’s leading DFIR experts, Heather Barnhart, head of faculty and senior forensics expert at the SANS Institute, said that organizations that are deploying AI without training, validation frameworks, and investigative discipline, are setting themselves up for failure. AI doesn’t know what to look for and can’t interpret evidence in the same way a human can, she added. And AI rendering a confident incorrect verdict isn’t helpful and certainly doesn’t save any time or resources during a response, Barnhart said. "Most breaches don't fail because of tools,” Barnhard said. “They fail at decision points. AI cannot be the decision point.” She reminded organizations that AI is also being used against vectors no one is monitoring, like AI notetaking tools. The attack surface has ballooned well beyond the network, and trained humans need to be empowered with decision making authority every step of the way, Barnhart added. Attack Technique #5: Find Evil: The Race to Autonomous Defense Rob Lee also said security researchers estimate that AI-driven attacks move 47 times faster than old-school, human-powered approaches. That means threat actors can take a stolen login and spin it into full admin control in an environment like AWS in less than 10 minutes. Take a November Anthropic-documented campaign as an example. Known as “GTG 1002,” and attributed to a Chinese state-sponsored group, the operation targeted more than 30 government and financial organizations and used AI tools to automate up to 90% of the attack process, including reconnaissance, exploitation, and lateral movement inside networks. Much of the damage was done without any human help. So how can defenders respond? "They have their artificial intelligence,” Lee said. “Now we build ours." He pointed to Protocol SIFT , an open source initiative from SANS Institute designed to help defenders catch up with AI-wielding attackers. It uses AI to organize workflows, surface insights, and coordinate tools. Meanwhile, humans are responsible for validating results and making decisions. “The goal is to accelerate analysts, not replace them, and early results suggest that the model can significantly compress response times,” Lee said. In one response exercise involving a sophisticated, two-week attack scenario, an analyst used Protocol SIFT to wrap up the entire investigation in a little less than 15 minutes, including identifying the malware, mapping the attacker’s movements, and aligning the tactics, techniques, and procedures (TTP) activity to known frameworks, and determining next steps. It’s the ability for defenders to move react quickly and coordinate across the global security community that will give defenders a true edge over attackers, Lee added. RSAC Conference Mar 23, 2026 TO Mar 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines