December 2020. FireEye discovers they’ve been breached.
The attackers had been inside for months. They used legitimate credentials. No malware signatures. No known indicators of compromise.
Traditional security tools saw nothing wrong.
This was the SolarWinds attack, one of the most sophisticated supply chain compromises in history. It affected 18,000 organizations including Fortune 500 companies and U.S. government agencies.
What finally caught them? Behavioral analytics and machine learning models that detected anomalous patterns in how attackers moved through networks.
This is where we are in 2025. Signature-based detection alone is insufficient. The volume, velocity, and sophistication of modern attacks demand a different approach.
Machine learning won’t solve every problem. But when deployed correctly, it catches threats that would otherwise stay invisible for months.
The Numbers Don’t Lie
IBM’s 2025 Cost of a Data Breach Report reveals the AI security divide. Organizations using AI tools extensively cut their breach lifecycle by 80 days and saved nearly $1.9 million on average.
The global average breach cost dropped 9% to $4.44 million. But there’s a catch: in the U.S., costs hit a record $10.22 million, up 9%.
Eighty days matters. That’s nearly three months where attackers could be exfiltrating data, establishing persistence, and moving laterally.
Modern attacks don’t look like the attacks we’ve already seen. Fileless malware lives in memory. Polymorphic code changes with every infection. Living-off-the-land attacks use legitimate system tools. Zero-day exploits have no signatures to match.
By the time signatures get written and deployed, the attack has evolved.
Where ML Actually Delivers
Behavioral Anomaly Detection
Microsoft detected the NOBELIUM threat group (behind SolarWinds, operating since 2020) through behavioral ML. In their 2021 campaigns, NOBELIUM used stolen OAuth tokens and legitimate credentials.
No malware. No suspicious files. Valid authentication.
Microsoft’s ML models flagged unusual patterns: abnormal API call sequences, atypical data access times, anomalous mailbox permission changes, and geographic inconsistencies in login patterns.
Traditional signature-based tools saw legitimate authenticated activity. The ML models saw behavior that didn’t match the user’s baseline.
Email Security at Scale
Google blocks over 15 billion spams and phishing emails daily using ML models. According to their 2025 security reports:
- 99.9% of spam, phishing, and malware emails are automatically filtered
- ML models detect new phishing campaigns within minutes
- Image-based phishing detection increased by 60% using computer vision
Traditional signature filters need hours or days to update for new campaigns. ML models spot patterns in sender behavior, content structure, and metadata in real time.
The Malware-Free Attack Challenge
The Malware-Free Attack Challenge CrowdStrike’s 2025 Global Threat Report reveals a fundamental shift: 79% of attacks gaining initial access are now malware-free. Adversaries use compromised credentials to infiltrate as legitimate users, moving laterally undetected.
The average breakout time dropped to 48 minutes. The fastest recorded: 51 seconds.
Traditional detection sees nothing wrong. Valid credentials. Legitimate tools. Authorized access.
Behavioral ML detects the anomalies: unusual login patterns at 3 AM, abnormal lateral movement, suspicious privilege escalation, data access inconsistent with baselines.
No malware signature needed. The behavior triggers detection.
The Reality Check
ML isn’t perfect. The false positive problem is real.
Recent studies show SOC analysts receive an average of 4,484 security alerts per day. Of these:
- Only 28% are investigated
- 52% are false positives
- Alert fatigue contributes to 31% of breaches being discovered by external parties
Early ML implementations often made this worse, generating thousands of “anomaly detected” alerts without context or prioritization.
Attackers are using AI too. The IBM report found 1 in 6 breaches involved attackers using AI, most commonly for phishing (37%) and deepfake impersonation (35%). Generative AI lets adversaries craft convincing attacks in minutes.
More concerning: shadow AI, unsanctioned AI use by employees, was a factor in 20% of breaches, adding $670,000 to average costs. And 97% of AI-related breaches occurred in organizations without proper AI access controls.
The cybersecurity AI arms race is real.
The Future: LLMs in Security
Large Language Models have entered security operations. Microsoft Security Copilot, powered by GPT-5 and now in widespread use, delivers 30% faster incident investigation, automated script generation for threat hunting, and natural language queries for complex security data.
Google deployed Sec-PaLM as its initial security foundation model within the Cloud Security AI Workbench (later Sec-PaLM 2), while Chronicle Security AI integrates machine learning capabilities into its threat detection platform. These tools speed up workflows but need careful validation. LLMs can hallucinate incorrect threat intelligence or analysis.
What Works: A Practical Approach
Use AI for what it does best. Apply ML to high-volume, pattern-based problems: network traffic analysis, log correlation, behavioral baselines, and email security.
Combine AI with human expertise. ML models detect and triage. Human analysts validate and investigate. Expect 3-6 months tuning sensitivity thresholds and refining baselines.
Measure what matters. Track true positive rate, false positive rate, time to detect, and time to respond.
The Bottom Line
AI and ML won’t replace human security analysts. They won’t catch every attack. They won’t eliminate false positives.
But when deployed thoughtfully and tuned carefully, they multiply your detection capabilities.
Ten years ago, ML in security was mostly research projects. Today, it’s operational reality in mature security programs.
Start small. Focus on specific use cases. Measure results. Scale what works.
The adversaries are using AI too. Standing still isn’t an option.
Gurdeep Gill
