At the end of 2023, over half of cybersecurity professionals (60%) reported feeling unprepared for the reality of AI-augmented cyber threats. Twelve months later, that number had dropped to 45%—a clear sign that the industry has recognized the urgency of AI-driven threats and is taking steps to prepare.

This preparation has involved enhancing and optimizing technology and processes in the SOC, improving cybersecurity awareness training, and improving integration among existing cybersecurity solutions. But the biggest priority in addressing the challenge posed by AI-powered cyber-threats, according to the more than 1,500 cybersecurity professionals we surveyed around the world, is defenders themselves adopting defensive AI to fight fire with fire.  

In December 2023, 58% listed ‘adding AI-powered security tools to supplement existing solutions’ as a top priority for their teams. By December 2024, it had risen to 64%.  

On the other end of the spectrum, ‘increasing security staff’ fell to just over 10% – and only 8% among CISOs. This is despite ‘insufficient personnel’ being listed as the top challenge which inhibits organizations in the fight against AI-powered cyber-threats. This underscores a stark reality: while teams are understaffed and struggling, hiring the right talent is so challenging that expanding headcount is often seen as an unrealistic solution.

What security leaders are looking for in AI-powered solutions

As AI adoption accelerates, confidence in AI-powered security tools remains high, with over 95% of respondents agreeing that AI-enhanced solutions improve their ability to combat advanced threats. But what exactly are security leaders prioritizing when evaluating vendors?

Three key principles emerged:

1. Platform solutions over point products – 88% of respondents prefer integrated security platforms over standalone tools, emphasizing the need for cohesive and streamlined defense strategies.

2. A shift toward proactive security – 87% favor solutions that free up security teams to focus on proactive risk management, rather than reacting to attacks after they occur.

3. Keeping data in-house – 84% express a strong preference for security tools that retain sensitive data within their organization, rather than relying on cloud-hosted ‘data lakes’ for analysis.

The knowledge delta: AI knowledge is growing, but there is a long way to go  

While AI adoption is accelerating, how well do security leaders understand the AI technologies they are deploying? Do they have the expertise to differentiate between effective solutions and vague marketing claims?

Our survey found that overall familiarity with AI techniques is improving, particularly with generative AI, which saw the most significant increase in understanding over the past year. Respondents also reported growing awareness of supervised machine learning, Generative Adversarial Networks (GANs), deep learning, and natural language processing. However, knowledge of unsupervised machine learning—critical for identifying novel threats—actually declined.

Alarmingly, 56% of respondents admitted they do not fully understand the AI techniques used in their existing security stack. Clearly there is a long way to go in understanding this vast and fast-changing landscape. Darktrace has recently published a whitepaper breaking down the different AI types in use in cybersecurity which you can read here.  

For many security leaders, staying ahead starts with understanding industry trends: how CISOs are thinking about AI’s impact, the steps they are taking, and the challenges they face. Our full State of AI Cybersecurity report is now available, offering deeper insights into these trends across industries, regions, company sizes, and job roles.

Download the full report to explore these findings in depth

‍

Part of being a cybersecurity vendor is recognizing our responsibility to the security community – while vendor competition exists, it pales in comparison to the threat of our shared adversary: malicious threat actors.

Darktrace is proud to be contributing to the shared mission of fighting attackers; without goodwill among defenders that task is made more difficult for everyone. Through collaboration, we can advance security standards across the board and make the world a safer place.  

With that in mind, Darktrace recently observed an exploitation capability latent in a competing email security vendor’s link rewriting infrastructure, which posed a risk to organizations. Following identification, Darktrace was able to report it to the vendor following their disclosure process. We’ll explore the vulnerability, the potential impact it may have had, how it could have been resolved, and the steps Darktrace took to raise it with the vendor.  

Please note that the following vulnerability we’re about to expose has already been resolved, so there is no risk of it being exploited by others. While keeping this vendor anonymous, we also want to thank them for their cordial response and swift remediation of the issue.

For more information about vulnerability disclosure best practices, refer to the UK National Cyber Security Center’s Vulnerability Disclosure Toolkit.

Details of the vulnerability

Let’s take a look at the weakness Darktrace identified in the link rewriting infrastructure.

In January 2025, Darktrace observed that links generated by a URL rewriting infrastructure could be re-engineered by a malicious actor to point to a URL of their choosing. In this way, a threat actor could effectively use the vendor’s domain to create a malicious domain under their control.

Because a majority of security vendors default to trust from known-safe domains, using one of these links as the payload greatly enhances the likelihood of that email being allow-listed to bypass email security, network URL filtering, and other such security tools, to reach the inbox. This issue meant any adversary could have abused the vendor’s safelink structure to deliver a malicious phishing link payload to any organization. It is likely this exploitation capability could have been found and abused at scale if not addressed.

The problem with said vendor’s link rewriting process was in using standard base-64 encoding instead of randomized encoding, so that anyone could replace the value of the parameter “b=” which contains a base64-encoded form of the original link with a base64-encoded form of a URL of their choosing.

This also posed issues from a privacy perspective. If, for example the encoded link was a SharePoint file, all the included folder names would be available for anyone to see in plaintext.

How the vulnerability was resolved

The solution for developers is to ensure the use of randomized encoding when developing link rewriting infrastructure to close the possibility of safelinks being deciphered and re-engineered by malicious actors.

Once Darktrace found this link issue we followed the vendor’s disclosure process to report the potential risk to customers and the wider community, while also conducting a review to ensure that Darktrace customers and their supply chains remained safe. We continued to follow up with the company directly to ensure that the vulnerability was fixed.

This instance highlights the importance of vendors having clear and visible vulnerability disclosure processes (such as RFC9116) and being available to listen to the security community in case of disclosures of this nature.

Why Darktrace was obliged to disclose this vulnerability

Here, Darktrace had two responsibilities: to the security community and to our customers.

As a company whose mission is to protect organizations today and for an ever-changing future, we will never stand by if there is a known risk. If attackers had used the safelinks to create new attacks, any organization could have been exposed due to the inherent trust in this vendor’s links within services that distribute or maintain global whitelists, harm which could have been multiplied by the interlinked nature of supply chains.

This means that not only the vendor’s customers were exposed, but any organization with their safelink in a whitelist was also exposed to this vulnerability. For Darktrace customers, an attack using this link would have been detected and stopped across various service offerings, and a secondary escalation by our Cyber AI Analyst would ensure security teams were aware. Even so, Darktrace has a responsibility to these customers to do everything in its power to minimize their exposure to risk, even if it comes from within their own security stack.

Why Darktrace customers remain protected

If a Darktrace / EMAIL, Darktrace / NETWORK, or any other Darktrace ActiveAI Security Platform customer was exposed to this type of vulnerability, our unique Self-Learning AI approach and defense-in-depth philosophy means they stay protected.

Darktrace / EMAIL doesn’t approach links from a binary perspective – as safe, or unsafe – instead every link is analyzed for hundreds of metrics including the content and context in which it was delivered. Because every user’s normal behavior is baselined, Darktrace can immediately detect anomalies in link-sharing patterns that may point to a threat. Furthermore, our advanced link analysis includes metrics on how links perform within a browser and in-depth visual analysis, to detect even well-disguised payloads.

None of Darktrace’s customers were compromised as a result of this vulnerability. But should a customer have clicked on a similar malicious link, that’s where a platform approach to security comes in. Detecting threats that traverse domains is one strength of the Darktrace ActiveAI Security Platform. Our AI correlates data from across the digital estate to spot suspicious activity in the network, endpoint or cloud that may have originated from a malicious email. Darktrace’s Cyber AI Analyst then performs triage and investigation of alerts to raise those of high importance to an incident, allowing for human-analyst validation and escalation.

As demonstrated by finding this vulnerability in another vendor, Darktrace’s R&D teams are always thinking like an attacker as they develop our products, to allow us to remain one step ahead for our customers.

Conclusion

We hope this example can be useful to developers working on link rewriting infrastructure, or to vendors figuring out how to proceed with a disclosure to another vendor. We’re pleased to have been able to collaborate with said vendor in this instance, and hope that it serves to illustrate the importance of defenders working together towards the common goal of keeping organizations safe from hostile cyber actors.