Back

#shifthappens podcast

Episode 132: AI Attacks Move in Minutes. Can Your Response Keep Up?

author
Andrew Carr07/16/2026

When AI became widely accessible, it didn't just give organizations a productivity boost. It gave attackers one too. The same tools that speed up research, drafting, and analysis inside the enterprise are accelerating reconnaissance, impersonation, and intrusion outside it. The difference isn't only that attacks are smarter; it's that they're faster, often unfolding in minutes rather than weeks. 

In this episode of #shifthappens, Booz Allen Hamilton Managing Director and Global Head of Threat Management Andrew Carr talks through what's changed in how attacks unfold and what organizations need to adjust as response windows shrink. What stands out is the gap between knowing what to do and doing it fast enough. As AI compresses attack timelines, response readiness is becoming just as important as response capability.

Two Sides of the Same Shift

Andrew sees AI reshaping cybersecurity from both sides of the equation: how attackers gain advantage and how defenders respond.

On the attacker side, AI is already producing results. Reconnaissance that used to take weeks now happens in minutes — leadership, partnerships, ongoing deals, vendor relationships, all packaged into a clean profile that an attacker can act on. Social engineering has moved past the obvious tells. Emails reference real projects and real colleagues. Voices can be cloned from a short clip. Andrew points to the Crimson Kingsnake incident as a clear marker of where this lands: Tens of millions of dollars moved through impersonation alone, without a single email system compromised. “It really changes the game that you don't even need to compromise the organization anymore to bring in this huge payday,” he shares. 

The defender side moves more slowly, but the leverage is real. AI is starting to change how security teams read signals and decide what to act on: triaging alerts by severity, business impact, and proximity to critical assets, then surfacing what matters before it escalates. Andrew describes how his team built AI-assisted tools that reduce malware analysis from days to hours, allowing analysts to focus on higher-value decisions. The same principle applies more broadly: AI can help defenders process information faster so they can respond before threats escalate. 

Where the Operating Model Shifts

Talking about AI-driven threats in broad strokes is easy. Operating against them means tightening the specifics: what teams can see, what they prioritize, and how quickly they can decide. That work extends well beyond IT. Andrew notes that implementing governance, controls, classification, and zero trust requires involvement across business units. AI-assisted attacks are exposing the gaps between security ownership and organizational ownership, making resilience an enterprise-wide operating challenge rather than a technology initiative.

Start with What You Have and Where It Lives

Most defenses break down at the same place: teams don't have a clean picture of their own environment. Andrew is direct about it — data classification gets skipped, segmentation lives only at the network layer, and the early minutes of an incident get spent confirming what an attacker can reach. “You really just need to approach this from the things that have been ignored for too long,” he explained. 

His approach starts with knowing the inventory and the pathways between systems, identities, and data. That visibility is what makes practices like zero trust and least privilege enforceable instead of aspirational.  

Deploy AI to Assist, Not Replace

Andrew is careful with how he frames AI in defense. Tools dropped into an environment without tuning create more noise than signal, and he's walked into enough consoles to know that automations are often turned off, the wrong product tier is in place, or alerts are configured against defaults that have nothing to do with the business. He is equally clear that security technology alone doesn't solve the problem. In incident response work, he regularly sees organizations with strong security technology but insufficient staffing, limited expertise, or poorly configured automations. 

AI earns its place by helping security teams sort and prioritize threats. The goal is to make sure analyst attention lands on the right problems before they spread. Properly tuned, AI allows a small team to operate at the scale today's threat landscape demands. But that advantage depends on more than technology. As AI increases the volume and speed of signals, organizations need to invest in training and expertise alongside the tools themselves. 

Treat Trust as a Surface, Not a Default

The instinct to trust based on familiarity – a known voice, a known sender, a known thread – no longer holds. Andrew is direct about this: a voice can be cloned, a phone number can be spoofed, and an attacker can sound exactly like the CEO calling the help desk. Controls must be designed around the assumption that human senses can be fooled. That means verification steps for high-risk requests, segregation around the systems that matter most, and a help desk culture that questions out-of-pattern asks regardless of who appears to be making them. 

The trust challenge extends to AI itself. Andrew also highlights shadow AI and AI agents with access to sensitive information. If attackers compromise those credentials, they inherit the same access paths. The principle remains unchanged: know where data resides, understand who or what can access it, and enforce segmentation and least privilege accordingly.

Drill Response Until It's Second Nature

Andrew describes one ransomware case where roughly an hour passed between the moment a managed detection partner flagged the attack and the moment the organization could validate, escalate, and authorize a response. By the time the call ended, the encryption was already in motion, and the backups were gone. His point isn't that the team made the wrong call. It's that there wasn't enough time to make the right one. The fix is regular drills across business units, covering more than ransomware and repeated often enough that everyone knows who makes decisions, who escalates issues, and when to act, emphasizing that, "It has to be second nature because we don't have the time anymore to take our time." 

Security Sets the Pace

Andrew's closing message lands on execution. The fundamentals, such as visibility, segmentation, least privilege, classification, and response readiness, aren't new ideas. Leaders set the tone for whether security gets treated as a project that lives in IT or as part of how the organization operates. In the same way attackers have stopped waiting for the perimeter to give way, defenders can't wait for an incident to test the plan. The organizations that keep up won't be the ones with the most tools; they'll be the ones whose response is already in motion before the minute is gone.

Soundtrack of Shift

Andrew's Soundtrack of Shift pick is Deftones' “My Own Summer.” He had grown up with Journey, Billy Joel, and Elton John — and didn't know music could sound like that. The riff and the drums shifted the music he listened to, the friends he kept, and how he carried his feelings at the time. Real shifts often arrive that way: unfamiliar in the moment, unmistakable in hindsight. 

Explore more soundtracks shaping how leaders approach change and transformation today.

Episode Resources

#shifthappens Research: 2026 State of AI Report

#shifthappens Insights:

#shifthappens Podcasts: 

Andrew Carr on LinkedIn

Dux Raymond Sy on LinkedIn

Dana Simberkoff on LinkedIn 

Booz Allen website

Stay Ahead of the Curve with the Latest Insights on the Future of Work

Explore Insights
AvePoint logo

#shifthappens is powered by AvePoint, the global leader in modern data protection, unifying data security, governance, and resilience to provide a trusted foundation for AI.