AI against AI: The digital arms race in Cybersecurity

While you're reading this, cybercriminals are training AI models to break through your defenses. Attackers keep innovating, forcing SOC teams to constantly refine their tactics.

In a world where digital threats grow more sophisticated every day, artificial intelligence has become a crucial player in the battle between attackers and defenders. AI is increasingly penetrating the business world, integrated into software and processes at every level. Both offensive and defensive teams use AI to achieve their goals. In this blog, we explore how malicious actors deploy AI and how Blue Teams can use it to detect and counter these attacks.

Artificial intelligence isn't a new technique. Its foundation dates back to the 1950s, when computer scientist Alan Turing wrote a paper titled 'Computing Machinery and Intelligence'. The central question was whether machines could think.

At the time, he couldn't properly define what 'thinking' meant in this context or what kind of 'machines' should be used. It wasn't until the 1980s that the first systems became available for AI use. However, limited computing power and data availability kept development restricted. Real progress only started around 2010, when powerful GPUs became available that could train AI models faster. More data, both online and offline, became available as input for these models.

Since then, AI has been increasingly deployed in cybersecurity. It's primarily used to improve spam filters and detect phishing emails, but also in antivirus software to better identify unknown malware and detect statistical anomalies in network traffic.

AI usage took off with the first release of ChatGPT by OpenAI in 2022. GPT stands for generative pre-trained transformer, capable of generating text, speech, and images in response to user prompts. From that moment, the general public could experience AI firsthand, and it became rapidly integrated into countless applications.

Research shows that in 2024, 20% of Dutch organizations suffered damage from a cyberattack. The average cost was €300,000. These are the direct costs, including incident response, infrastructure damage repair, and lost deals due to system unavailability. Indirect costs like reputation damage and loss of intellectual property aren't included. Smaller companies face increased risk because these organizations often have less focus on cybersecurity. According to the Cybercrime Trends 2025 report, an alarming 87% of organizations worldwide have dealt with a cyberattack involving some form of AI.

As mentioned above, a significant percentage of cybercrime involves AI. Phishing remains the most common form of cybercrime. In the past year, one-third of all employees received at least one targeted phishing campaign. That's a 25% increase compared to the previous year.

Social media is a favorite source for malicious actors. More information is being shared on platforms like LinkedIn, Facebook, and X. By capitalizing on current organizational campaigns, analyzing language use, and gaining insight into employees, attackers feed their AI tools with information. These tools then generate phishing emails with the right tone of voice, based on current topics, appearing to come from the right colleague.

AI is also used to find vulnerabilities in email systems, helping these emails stay out of sight of mail filters. Phishing emails primarily aim to:

Using AI strengthens an organization's cybersecurity team. By using similar tools as malicious actors, organizations can identify weak spots and act on them.

By using AI capabilities within email systems, the system keeps learning new phishing patterns. Email service providers play an important role here. They can integrate known email characteristics into their filters, blocking them next time. By using smart vulnerability scans (vulnerability management), organizations can identify infrastructure vulnerabilities early and take action in time.

User Entity and Behavior Analytics (UEBA) is an advanced cybersecurity technique that uses machine learning and behavioral analysis to detect anomalies within digital environments. It focuses on identifying compromised entities such as firewalls, servers, and databases, but also suspicious activities from malicious insiders or compromised accounts. By linking logs and data from multiple systems, an analysis can be made of 'normal' use by an entity or user. AI is then used to analyze this usage. Deviations in behavior will generate alerts that a security team can investigate further.

A practical example from our own experience, where UEBA helped us take timely action on a compromised user account, is as follows. An account manager was regularly working in various Western European countries for client visits: Spain, Belgium, the Netherlands. The work took place between 9 AM and 8 PM. An alarm went off when the account was used to log in from a French city at 10 PM. These login actions indeed turned out to be invalid.

We've reached a point where organizations are increasingly deploying AI capabilities to secure their environments. For security teams, this presents new opportunities but also challenges. Every day brings new cyber threats. The tools used innovate at a rapid pace, but complexity also increases. Security teams need a platform that brings together all (log) data. Microsoft has created the Sentinel platform for this purpose.

Sentinel is known as security information and event management (SIEM), available from the Microsoft Azure environment. Since last July, Sentinel has had a new version of a so-called data lake. With this data lake, you can consolidate all your security data. Data collectors create connections to log sources from various systems. These can be Microsoft (Azure) systems, but collectors are also available for third-party vendors, or they can be manually created for specific customer applications. This provides enriched input. This gives you a single source on which you can investigate and trigger (automated) response actions. This way, an alert from Entra ID about a login attempt from, for example, the United Kingdom, which as an isolated incident isn't necessarily suspicious, can be enriched with an alert from Exchange that a user clicked a link in a suspicious email. Combined, these are worth investigating.

Since late September, Microsoft has released the Sentinel graph for public preview. With this tool, both security teams and AI can see connections, assess potential dangers, and act quickly, both before and after a security incident.

By combining the use of the data lake with Sentinel graph, security incidents can be enriched with a visual representation.

Using AI can add value for organizations. An essential part of this is that the organization has specialists with the right knowledge, both of the AI tool and the sources used as input. AI can only do its job properly if the infrastructure foundation is in order. Rights need to be properly configured and log sources must contain the correct information.

An AI system also learns from its mistakes. As described in the UEBA example, the system needs to learn what a valid user routine is. With a new system, this will certainly generate many false positives in the beginning. System specialists need to assist with this, and through feedback provided to the system, it will perform the analysis differently next time.

AI offers unprecedented opportunities, but also new risks. Attacking teams are faster at creating an attack platform. Defending teams can use advanced hunting techniques by using AI to gain insight into large amounts of (logging) data.

Attacking teams generally have to deal with fewer management layers that all need to approve the use of a new tool. This allows them to quickly adapt to the latest developments and exploit the newest vulnerabilities. To provide solid resistance to this, your organization also needs to stay aware of the latest developments. Knowledge of these developments needs to be available across different specialist teams. The right processes need to be in place so quick action can be taken when the situation demands it.

The battle between attackers and defenders is a cat-and-mouse game where speed, intelligence, and adaptability are key. Only by deploying AI smartly and strategically can security teams gain the upper hand.

At Argus IT, we have specialists who can help you implement AI capabilities from various Microsoft Defender solutions and Sentinel within your organization. Our experts are certified (CISSP and Microsoft) with years of practical experience. They can also rely on the security, IAM, and modern workplace expertise of their colleagues, further strengthened by our extensive professional network.