More recently, researchers at Cisco revealed that frontier models from OpenAI, Anthropic, Google, xAI, and Amazon have significantly worse risk profiles when pressured in multi-turn attacks, a discovery that revealed attack success rates are considerably higher than those benchmarked in simulated single-prompt attacks. This, combined with recent news that the Google Threat Intelligence Group identified what researchers believe to be the first zero-day exploit created using AI, represents an entirely new stage in the technological arms race.
Those old-fashioned tabletop exercises where, once a year, you’d get everyone from IT to PR in a room for a couple of days and play out various scenarios and then tick that audit box for another 12 months aren’t going to cut it when attackers are probing on a daily basis. The military is using dynamic cyber ranges to test their real tools, people, and processes, in an exact simulation of their unique environment, against real-world threats like the tactics of Scattered Spider. Without real-world testing of your team’s capabilities, you’re not going to be able to go into an incident scenario confident that everyone’s prepared.
So, what can we learn from how the military prepares for cyberattacks in terms of mindset, readiness, and execution?
Military cyber doctrine starts with the assumption that you will be attacked and so prepare as though an attack is inevitable and not hypothetical. Businesses need to shift their mindset from “preventing breaches” to “detail, contain, and recover” and treat incidents as operational events rather than reputational crises. This reduces panic and leads to better decisions under pressure. It’s also critical for business leaders to understand their true vulnerabilities. Reputational and financial harm is typical collateral damage following a cyberattack, but was this the intended outcome? If sensitive data is compromised, are there persistent threats beyond the initial attack? Just as the military examines the secondary and tertiary impacts of risk scenarios in threat modeling, business leaders have to consider what else beyond their reputation and stock price may be compromised when they are attacked.
