Cyber security is under intense scrutiny these days, especially as more adversarial AI-based attacks such as Scattered Spider can use a variety of living-off-the-land methods to spread and speed their impact and disguise their operations. This means that defending today’s networks requires a quicker and more sophisticated, in-depth response.
Offensive AI is beginning to thrive: Google’s Threat Intelligence group has tracked new and maturing AI-fueled attack methods including AI tools that can bypass safety guardrails, generate malicious scripts, and automatically evade detection. Anthropic has observed what it calls the first known use of AI-based orchestration to stitch together different pieces of malware to perform network reconnaissance, discover vulnerabilities, move laterally across a target network, and harvest data.
This AI orchestration can happen at a speed and scale that could easily overwhelm manual detection and remediation methods. These are new attacks in every sense of the word and use the automation and intelligence of a machine learning algorithm to subvert digital defenses.
These attacks are just the beginning of how AI can be used to bypass traditional security protections. While the history of credential compromise goes back decades, what is new is the level of scale that can be accomplished with just a few AI prompts and how that can leverage AI-powered harvesting to collect a huge amount of stolen data.
This is just one way bad actors use AI. This Cloud Security Alliance report from June 2025 lists more than 70 different ways that autonomous AI-based agents can be used to attack enterprise systems, and demonstrates how these agents significantly expand the attack surface beyond traditional trust boundaries and security practices.
Truly, nothing is safe any longer, and we are firmly now in the era of zero trust. Since the term was first coined by John Kindervag in 2009 when he was at Forrester Research, it has blossomed into an almost universal set of circumstances. The difference with today’s networks is that SOC analysts also can’t take anything for granted, and have to become more effective at finding and stopping attacks no matter where they originate.
Why NDR matters against AI-powered attacks
As organizations search for better ways to defend new AI threats, they are turning to network visibility to understand how these techniques can be useful as a defensive mechanism.
Unlike legacy solutions that focus on blocking known traffic signatures or rely on manual investigation, network detection & response (NDR) systems continuously monitor and analyze network data, provide real-time insight to detect fast-moving, deceptive AI-based threats and automatically identify abnormal data transfers and network traffic patterns. These systems augment simple network visibility with real-time analytics.
Today’s legacy defensive systems were designed to focus on these known threats in the era before AI could create thousands of customized malware variants.
This could be one reason why searching for “Network Detection and Response solutions” is on the increase, according to both Google Trends and Gartner’s Magic Quadrant for Network Detection and Response report.
Trusted to defend the world’s most sensitive networks, Corelight’s Network Detection & Response (NDR) platform combines deep visibility with advanced behavioral and anomaly detections to help your SOC uncover new AI-powered threats.
Take action against threats today
Here is how today’s NDR systems can counter AI-driven attacks:
— Identifying and counteracting AI-fueled reconnaissance campaigns and other fast-moving polymorphic attacks. What these attacks have in common is the ability to use automated techniques to test for unprotected points of entry or for unpatched vulnerabilities. It is as if a burglar were able to quickly jiggle a series of hundreds of locked doors to find the one that has been accidentally left open. An NDR solution can keep pace with higher traffic volumes generated by these automated systems—and is able to process all this data in a timely fashion—which is critical to finding the intruder hidden amongst normal activity.
NDR systems employ real-time monitoring to inspect all network traffic. This enables them to detect threats and reconstruct timelines and components of various types of attacks. As an example, these systems often include various automation and AI/ML methods to reveal things such as lateral network threat movement or other anomalous behavior that is a sign of a bad actor’s evasive approaches. An NDR solution should also be able to separate false positives from true positive alerts while providing the surrounding context and network-based implications to investigate true threats.
— Second, to summarize and analyze what is happening across an enterprise’s networks and cloud estates. This could be calculating the ratio of encrypted to unencrypted traffic, for example, and comparing it with a historical baseline, or observing that a network router has never used SSH to connect to the internet previously and is now using this protocol. Or, it could identify connections to new services or IP addresses. Insights like these are helpful for security teams, giving them better context during their investigations and helping them understand how network traffic changes over time.
— Third, be able to save these patterns to some storage medium for future inspection and analysis. The system can recognize and extract individual files and analyze them for further action, such as to set up specific policies to prevent this behavior, or to see what happened in the past to circumvent defenses. One example is to record an inappropriate file upload that uses an image extension, such as .jpg or .png, but is actually an executable file that could form the basis of an attack.
— Finally, to be able to render a verdict on whether some event is benign, suspect, or malicious, and do so by using automated methods to go beyond recognizing simple malware signatures or behaviors. This can help reduce pressures on SOC analysts and eliminate false positives. Using the SSH traffic exploit example mentioned above, while NDR can’t look inside the encrypted traffic, it can easily identify that this is a new situation and flag it as a potential abuse thanks to its network visibility powers. As attackers step up their game with more ways to hide their efforts, it becomes more important to quickly triage any potentially harmful event.
As adversaries increasingly lean into AI to evade legacy defenses, network visibility is helping SOCs to spot their moves. Whether they’re probing entry points, moving laterally, or hiding in plain sight, SOCs are intercepting them before real damage is done.
NDR’s unique strength lies in providing actionable insights for analysts to troubleshoot problems that traditional tools ignore or bury deep within their logs. Incident responders can quickly investigate unusual network traffic or suspicious application use, identify hidden malware or intruders, and resolve incidents faster. They’re given the potential to reduce the blast radius of a malware infection or prevent a bad actor from stealing proprietary data.
With widespread environmental visibility and faster response, NDR gives organizations agility, preparing them for a future in which attackers leverage ever-evolving, AI-driven tactics.
To discover more about Corelight NDR, visit corelight.com/elitedefense.
Sponsored and written by Corelight.