The cyber-attack lifecycle has entered a new, unforgiving phase, which was underscored at the recent Google Cloud Next 2026 event, where leaders highlighted how AI-driven security operations are reshaping both attack and defence.
The event showcased how autonomous security operations (SecOps) tooling is accelerating detection, correlation, and response across cloud and hybrid environments, reflecting a world in which machine-speed threats now dominate.
This shift is further quantified in the Mandiant M-Trends 2026 report, produced with Google Cloud Security, which showed that the median ‘time to hand-off’ between an initial access broker and a secondary ransomware group has collapsed from more than eight hours in 2022 to just 22 seconds in 2025. Adversaries are no longer relying on slow, forum-based access sales. Instead, they are pre-staging malware and working directly with partners, enabling near-instant activation once access is obtained.
Twenty-two seconds is not a response window but a warning shot, states Wessel Pieterse, Cybersecurity Practice Lead at Accelera Digital Group (ADG). “By the time a Security Operations Centre (SOC) analyst has finished reading the alert, the ransomware crew may already be inside the environment. The only viable defence is to treat every minor anomaly as a potential precursor to a catastrophic breach.”
The industrialisation of the ransomware economy
The M-Trends report notes that this acceleration is often driven by automated delivery pipelines, where initial access brokers deploy malware on behalf of secondary groups rather than advertising access on underground markets. This reflects a broader industrialisation of cybercrime, with attackers now operating in coordinated supply chains optimised for speed.
“We’re no longer dealing with isolated actors. We’re dealing with supply chains. And supply chains optimise for speed. That’s why the hand-off has collapsed from hours to seconds – and why defenders must collapse their detection and response cycles just as aggressively,” Pieterse says.
Why ‘minor’ alerts can no longer be deprioritised
The report makes it clear that the earliest signals of compromise, often dismissed as low-severity, are now the most important. Exploits remain the most common initial infection vector, accounting for 32% of intrusions, followed by phishing at 11%.
These early-stage events frequently occur during what Mandiant calls the non-interactive phase, before a human operator takes over. This is the only phase in which defenders have a meaningful chance to contain the intrusion before a ransomware group begins hands-on-keyboard operations.
“If you wait for a high-fidelity alert, you’ve already lost. The new priority is to remediate during the non-interactive phase, before the attacker can pivot, escalate, or trigger their automated hand-off,” Pieterse warns.
AI-powered attackers and the need for AI-powered defence
Google Cloud Next 2026 reinforced that AI is now deeply embedded in both attack and defence. But Pieterse stresses a critical nuance: “AI is protecting you, but who is protecting your AI? As organisations adopt AI-driven security agents, they must secure the models, data pipelines and cloud infrastructure that power them. Attackers are already probing these systems.”
This aligns with growing concerns about AI model poisoning, data exfiltration from training sets, and adversarial manipulation of inference pipelines. As AI becomes central to SecOps, it also becomes a high-value target.
Securing the cloud-to-database pipeline
The M-Trends 2026 report highlights that attackers increasingly exploit native cloud functionalities and unmonitored edge devices to maintain persistence.
Organisations must now secure the entire cloud-to-data pipeline with far greater discipline. Pieterse notes that cloud posture hardening is the first non-negotiable step, while Data Loss Prevention must be enforced consistently across cloud, SaaS, and endpoint environments.
Identity remains another critical weak point, with stolen credentials accounting for 9% of intrusions and prior compromise for 10%, making strong identity and access governance essential to reducing the blast radius of any breach. And as AI becomes embedded in business operations, AI workloads must be treated as part of the attack surface.
Together, these measures form the minimum baseline for resilience in an environment where attackers move at machine speed, and defenders can no longer afford to overlook even the smallest anomaly.
The SOC of the future
The collapse of the hand-off window demands a new operational model. Traditional SOC workflows, such as manual triage, sequential investigation and human-driven correlation, cannot operate at 22-second speed.
Google Cloud Next 2026 showcased a wave of autonomous security agents capable of detecting, analysing, and responding to threats without human intervention. The SOC of the future will be agent-driven, with AI handling the first 90% of detection and response.
The M-Trends 2026 report also notes that organisations are improving internal visibility, with 52% of incidents first detected internally; up from 43% the previous year. This is encouraging, but Pieterse cautions that visibility without urgency is insufficient. Every alert must be treated as if the attacker is already preparing the hand-off, because statistically, they are.
In an era where ransomware crews can take over an environment faster than a SOC analyst can read an alert, the only viable strategy is to collapse the defender’s response cycle to match the attacker’s speed. and to treat every early-stage signal as the moment that determines the entire incident.
