Google: AI shrinks cyberattack cost, boosts volume in 2026

Google's report suggests AI is making cyberattacks cheaper and more frequent. Attackers may now use AI to quickly find security flaws, create convincing phishing emails, and adjust malware to avoid detection. Early cases show AI can help hackers work much faster than before, though defenders are starting to use AI tools too. Experts warn that organizations who delay updating their defenses might struggle against these fast, automated attacks. The report says the best defense may be combining AI detection with human oversight and strong security practices.

Google's latest threat intelligence warns that AI shrinks cyberattack cost and boosts volume, enabling adversaries to draft exploits, create persuasive phishing, and guide intrusions in near real-time. This new reality was highlighted by a May 2026 incident where attackers used an AI system to discover a novel software flaw, offering what Google called a glimpse into automated zero-day discovery (Axios).

The warning, from Google Cloud's Cybersecurity Forecast 2026, details a growing disparity between machine-speed attackers and defenders often limited to human-paced responses (Google Cloud).

How AI is changing the attack surface

According to Google's forecast, threat actors are leveraging large language models (LLMs) to lower operational costs and significantly broaden their target lists.

AI is fundamentally changing cyberattacks by making them cheaper, faster, and more scalable. Attackers use AI to automate reconnaissance, generate highly convincing phishing emails, and create malware that evades detection. This allows even less-skilled actors to deploy sophisticated campaigns that were previously cost-prohibitive and time-intensive.

Experts identify three primary trends:

Automated reconnaissance that scans exposed services, then ranks the easiest entry points.
Phishing kits that tailor tone, timing, and translation to each recipient, increasing click rates significantly in some industry tests.
Malware generators that adjust payloads on each delivery to evade static signatures.

State-linked groups from North Korea and China are also experimenting with AI, using it to validate thousands of potential exploits simultaneously - a scale of attack preparation previously considered impractical.

Early evidence from the field

In a May 2026 case study, Google detailed how attackers fed public documentation for a software platform into an AI, which then queried for anomalies and generated a working exploit in hours. While Google's security team intercepted the attack, the incident demonstrated how AI drastically shortens detection windows.

The report also warns of "Shadow Agent" risks, where autonomous AI scripts can independently decide which systems to probe next. This creates the threat of relentless, 24/7 bot-driven campaigns that operate without human intervention.

Defensive moves enterprises are testing

To counter these threats, security leaders interviewed for the forecast emphasized controls designed to limit the blast radius from a single compromised credential or phishing link. Recommended key measures include:

Phishing-resistant multi-factor authentication for privileged roles.
Behaviour-based detection that watches for unusual API calls, impossible travel, or late-night privilege changes.
Segmentation of finance and identity services so lateral movement requires multiple escalations.

Google's report advises implementing continuous security testing that mimics attacker automation. However, experts caution that AI-powered detection requires human oversight, as false positive rates can increase when security models pursue adaptive malware.

What the numbers show so far

Data cited by Google illustrates the dramatic efficiency gains. According to industry reports, AI can significantly reduce the time needed to craft convincing spear-phishing emails compared to manual methods. Separately, security researchers have reported substantial increases in AI-generated scams based on customer telemetry.

While comprehensive global metrics are still emerging, the trend is clear: AI lowers the cost per attack while increasing the total volume. Researchers conclude this dynamic shifts defensive priorities from static signature-based tools toward identity assurance, behavioral analytics, and rapid incident response.

Looking ahead

Google concludes that attackers will "leverage AI to escalate the speed, scope, and effectiveness of their attacks." The report warns that organizations waiting for perfect threat data risk being overwhelmed by automated campaigns that iterate faster than traditional patch cycles. The best defense is pairing AI-assisted security with strong governance and proactive exposure management to keep pace with the evolving threat.

How is Google warning that AI will reshape cyberattacks by 2026?

Google's Cybersecurity Forecast 2026 says AI use by threat actors is expected to become the norm and will transform the cyber threat landscape. The company has documented cases of attackers using AI to discover previously unknown software flaws and attempt large-scale exploitation. State-linked groups from North Korea and China are already testing AI for vulnerability triage, with some groups reportedly using AI to evaluate thousands of exploits in hours instead of weeks.

Why does AI lower the cost but raise the volume of breaches?

AI compresses the time and expertise once needed for complex intrusions. Google notes that tasks like writing polymorphic malware, crafting localized phishing lures, or scanning cloud tenants for weak credentials can now be automated at machine speed. Industry reports suggest AI can dramatically reduce the time needed for tasks like phishing email creation. The result is more campaigns, cheaper attacks, and a larger pool of less-skilled actors who can rent AI-enhanced tools on dark-web markets.

Which enterprise controls does Google say matter most against AI-driven attacks?

Google urges organizations to harden identity first: deploy phishing-resistant MFA, enforce least-privilege, and treat Shadow Agent scenarios where AI agents act on behalf of users as a new governance risk. Beyond identity, the forecast recommends behavior-based detection that spots anomalous API calls, impossible-travel logins, and sudden data-hoarding; zero-trust segmentation so one compromised workload cannot reach finance or production systems; and continuous exposure management that automatically flags internet-facing assets with weak or missing authentication.

How are defenders already using AI to flip the economics back in their favor?

Forward-looking SOCs are pairing AI-assisted triage with human oversight: models help surface the most critical alerts that merit analyst review, significantly reducing noise in early pilots. AI is also powering real-time deepfake detection in video calls, adversarial-model hardening to protect in-house LLMs, and automated reverse-engineering of malware that used to consume a full day of analyst time. Google stresses that sharing AI-generated threat intelligence across vendors and sectors is critical; the same models attackers use to scale can be trained on pooled telemetry to pre-emptively flag new attack patterns.

What should boards prioritize in the next 12 months to stay ahead?

Finance and executive shielding: require out-of-band verification for any payment or vendor-bank change, and mandate dual approval for wire transfers above a low threshold.
Identity modernization budget: phishing-resistant MFA for all staff and continuous authentication for privileged users.
API and cloud entitlement review: inventory every service account, enforce OAuth scopes最小权限, and monitor for anomalous machine-to-machine calls.
AI governance framework: restrict training data, validate prompts, and monitor outputs to prevent model poisoning or data leakage.
Incident-response update: add playbooks for deepfake fraud, AI-generated ransomware notes, and machine-speed lateral movement that can outpace human containment steps.