Hackers are moving much faster in compromising digital infrastructure, a new report says, posing a growing challenge to cyber security efforts
The report, The Broken Physics of Remediation by California-based IT security firm Qualys, said that it is time for cyber security to evolve, and to make the most of AI and automation to deal with the increasing pace and volume of attacks.
“The attacker’s timeline is the only one that matters,” the report says. “Risk whack-a-mole does not scale.”
Saeed Abbasi, head of Qualys's threat research unit, said the company's findings come at a time when the average time to exploit – or the length of time it takes for hackers to discover and act on a vulnerability in software and hardware – has collapsed, creating the perfect storm for greater financial losses and technological gridlock resulting from hacks.
“Even if an IT team is working hard and patching vulnerabilities and closing more tickets than ever before, things are getting worse,” Mr Abbasi said.
“They're not getting worse at patching, it's just that the volumes are so high.”
The Qualys report added that while hackers might have the advantage of speed, this might not be the most crucial aspect of the problem.
The report comes amid speculation and debate over whether or not AI could make cyber security efforts more difficult.
Qualys argues that a “foundational architectural shift away from reactive human triage” is needed, with efforts instead focused on a move towards “a Risk Operations Centre (ROC) that fuses embedded intelligence, deterministic confirmation of actual exploitability, and autonomous remediation into a single operational loop”.
According to Qualys chief executive Sumedh Thakar, using AI and automation does not mean a reduced role for humans in cyber security. Rather, it means that human workers can be elevated to pursue other areas to bolster security.
“Welcome to the new operational reality,” Mr Thakar wrote in the report, emphasising that those tasked with keeping governments, companies and organisations safe should shift “from executing tactical actions to governing the policies that guide autonomous systems”.
Mr Abbasi said that, unlike countries that have major legacy systems to overhaul, nations throughout the Middle East might have the upper hand when it comes to speeding up responses to cyber attacks.
“The opportunity is there for moving quickly because in many cases the digital infrastructure is being built from the ground up, so it can be built right with autonomous defence implemented from day one,” he said.
Concerns over nefarious cyber actors ranked among the top 10 concerns in the short and long term among those surveyed in the World Economic Forum's 2026 Global Risks report.
“Technological risks are also anticipated to worsen in severity over the next decade,” WEF's analysis warned.
