AI-Generated Attacks Are Reshaping Cybersecurity Spending in 2026

CrowdStrike’s 2026 Global Threat Report recorded a median adversary “breakout time” — the elapsed time between initial access to a network and lateral movement to other systems — of 2 minutes and 48 seconds, down from 7 minutes in 2024. The CrowdStrike 2026 Global Threat Report attributes the compression primarily to AI-assisted attack automation: intrusion tools that identify exploitable network paths, generate privilege escalation commands, and exfiltrate target data with minimal human attacker intervention between steps. The breakout-time figure is the most directly operational of the report’s metrics — defenders have, in theory, a window to detect and contain an intrusion before lateral movement; at under 3 minutes, that window requires automated detection to be practically useful.

The budget response from enterprise security teams is measurable in the earnings reports of the two dominant pure-play cybersecurity platforms. Palo Alto Networks reported $2.3 billion in quarterly revenue in its most recent fiscal quarter, with “next-generation security” (its AI-integrated product suite) growing at 37% year-on-year. CrowdStrike’s Falcon platform added 800 net new customers in its most recent quarter despite an already-large installed base. Both companies are attributing the demand acceleration to AI-augmented threat sophistication raising the minimum viable security posture for enterprises that previously considered themselves below the targeting threshold for sophisticated intrusions.

Sub-Three-Minute Breakout Times Are Forcing a Defence Redesign

The practical implication of sub-3-minute breakout time is not that human security analysts are useless — it is that human-speed detection is structurally insufficient for the initial containment decision. Security operations centres built around human review of alerts, with analysts triaging and escalating, operate on timelines that were adequate when breakout time was measured in hours. At sub-3-minute breakout, the containment decision must be automated: a detection event triggers isolation of the affected endpoint before an analyst reviews it, with human review of the isolation decision happening after the fact.

This constraint is reshaping the security architecture buying pattern more than any specific threat. Identity and access management (IAM) — which controls what any authenticated session can access — is receiving the largest incremental budget because it can constrain lateral movement even when initial access succeeds. If an attacker compromises a user credential, IAM controls limit what that credential can reach. The speed of the intrusion is less consequential when the available lateral paths are constrained.

Anthropic’s Project Glasswing zero-day research, which identified 10,000 software vulnerabilities using Claude’s Mythos Preview, is a direct example of how AI is accelerating the vulnerability discovery side of the security landscape. The same capability that enables defensive research enables offensive discovery; the 1% patch rate that Anthropic observed in their responsible disclosure programme is a measure of how far patch velocity lags behind vulnerability identification velocity — a gap that AI-assisted scanning is widening.

Where Security Budgets Are Flowing

The allocation shift in enterprise security budgets in 2026 has two dominant destinations: identity security and AI-integrated detection tooling. Identity security — Microsoft Entra ID, Okta, CyberArk — is growing because the attack vector for most AI-assisted intrusions is credential compromise rather than technical exploitation. Phishing emails generated by LLMs at scale, with personalisation that previously required individual attacker research, are producing credential compromise rates that exceed prior-year baselines even at organisations with mature security training programmes.

AI-integrated detection — CrowdStrike Falcon’s AI correlation layer, Palo Alto’s Cortex XSIAM, Darktrace’s autonomous response — is growing because the volume of security telemetry generated by modern enterprise environments exceeds human analyst review capacity. A mid-size enterprise generates millions of log events per day; the security operations centre cannot review them without automated triage. AI-driven triage — classifying events by severity, correlating related events into incidents, and suppressing noise — is becoming a prerequisite for staffed security operations at any scale, not a premium capability.

Cloudflare’s record revenue alongside workforce reduction demonstrates the same pattern in network security infrastructure: AI is enabling more traffic analysis, more bot detection, and more DDoS mitigation with fewer human operators per unit of protected traffic. The Cloudflare case study is widely cited in enterprise security discussions because it shows that the productivity gain from AI-integrated security tooling can be substantial even when the overall threat volume is rising.

The Small Business and Mid-Market Exposure Gap

The cybersecurity budget acceleration is concentrated in large enterprises. The CISA AI Cybersecurity Collaboration Playbook, published in early 2026, explicitly acknowledges that smaller organisations face the same AI-augmented threat landscape as large enterprises but lack the budget and staffing to deploy equivalent defensive tooling. The playbook’s recommendations for smaller organisations centre on identity hygiene (multi-factor authentication, privileged access management) and managed detection and response (MDR) services that outsource the AI-integrated security operations function to a third-party provider.

The MDR market — where a vendor operates the security operations function as a service — is growing faster than the enterprise security product market, partly for this reason. Small and mid-size businesses that cannot build an AI-integrated security operations function internally are outsourcing it to MDR vendors who amortise the tooling investment across a larger client base. CrowdStrike’s Falcon Complete (managed detection and response), Microsoft’s Defender for Business, and SentinelOne’s Vigilance are all reporting mid-market growth that exceeds their enterprise segment growth rates.

Big tech’s workforce reductions to fund AI infrastructure have reduced the headcount of security teams at companies simultaneously increasing their AI exposure surface. This tension — fewer security engineers at organisations deploying more AI-integrated infrastructure — is one of the structural dynamics that MDR vendors are capitalising on. The security staffing market has not kept pace with the security posture requirements created by AI infrastructure deployment, and the gap is being closed by managed services rather than internal hiring.

The Security Industry Measures the Threats Its Products Address

Glenn Greenwald’s core investigative question — who benefits from the narrative, and who provided the data that constructs it — applies with particular force to cybersecurity threat reporting. The 2 minutes 58 seconds breakout time figure, cited as the justification for a fundamental re-architecture of enterprise security spending, comes from CrowdStrike’s own threat intelligence report. CrowdStrike sells the AI-powered detection tools that the sub-3-minute breakout time makes necessary. The circularity here is not evidence of bad faith — the data may be accurate — but it is evidence that the reader should know who is making the measurement before accepting what the measurement implies about spending requirements.

This is not unique to CrowdStrike. The major cybersecurity vendors — Palo Alto Networks, SentinelOne, Microsoft Defender — all publish annual threat intelligence reports that document the threat landscape their own tools are designed to address. The reports are methodologically rigorous and the data is generally reliable. The question is not accuracy but completeness: what is not measured, and what conclusions does the unmeasured data prevent? Breakout time tells you about lateral movement velocity once a network is breached. It does not tell you about initial breach vector distribution, which determines whether endpoint detection speed is actually the bottleneck in a typical enterprise compromise. If 70% of breaches begin with phishing-enabled credential theft, then sub-3-minute breakout detection is solving the second problem, not the first.

The small and mid-market exposure gap is real. The concentration of AI-augmented security tools in large enterprise deployments creates an asymmetric vulnerability that is not well served by the current security vendor market structure — the tools that address AI-generated attack volume are priced and architected for organisations with dedicated security operations teams. This is a structural market failure that managed security service providers are filling more effectively than direct vendor channels. The question that the next security budget cycle should be asking is not “which AI detection tool performs best on the benchmark” but “which threat vector is actually responsible for the most breaches in our organisation’s category, and is our current spend addressing that vector or a more visible but less prevalent one?”