AI is making attackers worse, not better.

1. Opening Claim

Attacker output is up. Attacker craft is down. The two are not contradictions. They are the same condition observed at different layers of the kill chain. Across phishing samples, initial access tooling, and post-exploitation behaviour collected through 2024 and into 2026, the pattern reported by multiple defender telemetry sources is consistent: more volume, lower variance, weaker fundamentals. The specific operator population producing this pattern is not confirmed. The pattern itself is.

The hypothesis many defenders worked from in 2023 was that generative models would compound attacker capability. Better lures, better code, better evasion. That model was incomplete. It accounted for the upside and not the cost. The cost is now visible in defender data.

Operators who lean on model output stop building the practice that produced quality tradecraft in the first place. The skills that required iteration, failure, and judgement degrade because the model removes the iteration. What is being observed in attacker behaviour is not capability uplift. It is capability substitution, and substitution has a half-life.

2. The Original Assumption

The original assumption rested on three claims. First: AI would close the gap between low-skill operators and senior ones. Second: senior operators would compound their existing skill with model output. Third: the volume of high-quality attacks would rise as a function of both. The defender posture built on that assumption prioritised detection ceiling over detection floor.

That assumption treated attacker skill as additive. Model output plus operator judgement equals stronger attack. It did not account for what happens when operator judgement is no longer exercised. It did not account for the feedback loop between effort and competence. Whether the loop applies uniformly across all operator tiers is not confirmed. That it applies to a significant subset is supported by the convergence in observable tooling.

The assumption also held that model output would remain differentiated across vendors and across operators. It has not. Models trained on overlapping corpora produce overlapping output. Phishing lures generated across multiple providers converge on the same structural patterns, the same phrasing rhythms, the same call-to-action shapes. Defender classifiers benefit from this convergence. Attacker novelty does not survive it.

3. What Changed

Three shifts are observable in current defender data. First, phishing volume is up while phishing variance is down. Lures cluster around a narrower set of templates. Header anomalies, model-shaped sentence construction, and predictable urgency patterns are now reliable signal for classifier-based filtering. The specific reduction in variance is reported by multiple email security vendors. The exact magnitude across the wider population is not confirmed.

Second, initial access tooling derived from model output reuses the same code structures. Loader behaviour, persistence mechanisms, and command staging patterns repeat across unrelated incidents. Threat intel feeds report higher cluster overlap between actors that were previously distinct. Whether this represents shared infrastructure, shared tooling lineage, or shared model dependency is not confirmed. The behavioural convergence at the artifact level is.

Third, operator response under defender pressure has degraded in a specific way. When initial tooling is burned, the observed response is to regenerate from the same model rather than adapt the underlying technique. The adaptation cycle that defined skilled intrusion behaviour requires understanding the control that triggered detection. Model-mediated operators frequently do not exhibit that understanding in follow-on attempts. They produce more output. They do not produce better output. The control that detected the first attempt typically detects the second.

4. Mechanism of Failure or Drift

The mechanism is observable. Capability in offensive operations is produced through iteration against feedback. The operator attempts an action, observes the defender response, adapts the technique, and retries. The product of that loop is judgement about which controls fire, when, and why. Model-mediated workflows compress the loop by removing the operator from the inner steps. The operator describes an outcome. The model produces the artifact. The operator deploys the artifact. When the artifact fails, the operator returns to the prompt rather than the technique.

Each cycle through the model rather than through the control bypasses the step where judgement is formed. Output is generated. Understanding is not. Over repeated cycles the operator accumulates artifacts and loses the structural knowledge those artifacts were meant to encode. This is what is observable in the data. When a loader is burned, the regenerated loader is structurally similar to the burned one. When a lure is filtered, the regenerated lure shifts surface phrasing and retains the underlying construction the classifier was trained against. The defender control that detected the first attempt is exercised again, not evaded.

This is not a claim about model quality. It is a claim about how operational skill is acquired. The model can produce output indistinguishable from senior tradecraft on the first attempt. The cost is paid on the second attempt, when adaptation is required and the operator no longer has the underlying practice to draw on. Whether any individual operator escapes this loop by retaining manual practice alongside model use is not confirmed. The aggregate signal in defender data is that most do not. The drift is not a skill gap. It is a feedback loop break.

5. Expansion into Parallel Pattern

The mechanism is not specific to attackers. It is specific to operators who substitute model output for the practice loop that produced their craft. The same condition is observable wherever that substitution occurs. Defenders using model-generated detection rules without exercising the underlying behaviour the rule encodes are subject to the same drift. The rule fires. The analyst closes the ticket. The analyst does not build the pattern recognition that previously came from constructing the rule manually. When the technique shifts outside the rule’s coverage, the analyst has the same gap the model-mediated attacker has on the opposite side of the engagement.

The mechanism is symmetric because the feedback loop is symmetric. Practice produces judgement. Substitution produces output. Where the substitution is constant, the judgement is not maintained. This applies to triage workflows that route alerts through model summaries before analyst review, to incident response runbooks generated from model output, and to detection engineering pipelines where rule logic is produced from natural-language prompts. The artifacts are functional. The competence required to evaluate them under novel conditions is not produced by their use.

The implication for defender posture is logically necessary from the mechanism, not from outside data. Any control that depends on operator judgement during a live event is exposed to the same drift the attacker side is now exhibiting. If the defender’s response capability is built on the same substitution pattern that is currently degrading attacker capability, the defender’s posture during a non-routine event is not what the tooling inventory suggests it is. Whether this drift is currently present in any specific defender environment is not confirmed. The mechanism applies wherever the substitution is present.

6. Hard Closing Truth

The condition is not that AI made attackers stronger. The condition is that AI changed how attacker capability is produced, and the production pathway is leaking. Volume is up because output is cheap. Variance is down because output is shared. Adaptation is degraded because adaptation requires practice the operators are no longer doing. None of this requires defender heroics to detect. Classifier-based filtering, behavioural clustering, and standard control hygiene are catching it. The detection floor matters more than the detection ceiling in this condition.

The operator position is to refuse the symmetric trap on the defender side. Practice loops that produce judgement must be preserved where judgement is the control. Detection engineers must continue to construct rules manually for the technique classes they own. Analysts must continue to triage a fraction of alerts without model assistance to maintain pattern recognition. Internal red teams must continue to operate manually against the controls they are testing. Tooling is acceptable as a force multiplier on existing skill. It is not acceptable as a substitute for it.

The half-life of capability substitution is not theoretical. It is the mechanism currently producing the convergence visible in attacker telemetry. The same mechanism will produce the same convergence on the defender side if it is allowed to. Identity is the boundary. Practice is the control. Anything that removes the practice removes the control, regardless of which side of the engagement the operator is on. Controls that are not exercised are not controls.