AI cyberattacks will consume half your security budget by 2028
TL;DR
Gartner predicts that by 2028, 50% of all enterprise cybersecurity incident response will be consumed by incidents involving custom-built AI applications. Attackers are already weaponising generative AI to build polymorphic malware, personalised deepfake fraud, and fully automated attack pipelines. The market has registered the shift, Surf AI just raised $57 million to fight AI-driven attacks with AI. If your defence strategy is still human-only, you are already behind.
What does Gartner's 50% prediction actually mean for your business?
Gartner, the analysts paid to see what is coming around the corner before you do, has put a hard number on the AI security problem: by 2028, half of all enterprise cybersecurity incident response will be focused on incidents involving custom-built AI applications.
Not 5%. Not 15%. Half.
Half your security budget, half your team's time, half your incident queue, consumed by a category of threat that barely existed three years ago.
That is not a line item on a spreadsheet. That is a structural reordering of every security priority you have, whether you like it or not. The skills gap alone is punishing: you need data scientists who understand security and security professionals who understand data science. These people are rare, expensive, and every organisation on the planet is competing for them at exactly the same time.
Why is your current security stack already obsolete?
Your current tools were built to detect known threats, known signatures, known patterns, known behaviours. They work by comparing what they see against what they have seen before.
AI-powered attacks do not operate that way. Attackers are now deploying:
- Polymorphic malware generated by AI that changes its code with every execution, rendering signature-based detection useless
- Reinforcement learning to probe your network, learn your defences, and adapt their attacks in real-time
- Automated attack pipelines that run the entire lifecycle, reconnaissance through to data exfiltration, at machine speed and scale
Your security tools see normal traffic, because the AI is specifically designed to mimic normal user behaviour. It is a ghost in the machine, invisible to the tools built to stop visible threats. You are fighting a static war against a dynamic enemy.
How are attackers using AI against your people right now?
This is not a future scenario. Here is what is already happening:
- Deepfakes of your CEO authorising fraudulent wire transfers, in a voice indistinguishable from the real thing
- Spear-phishing emails written by AI, personalised with details scraped from compromised email accounts, that your team will click on because the context appears completely legitimate
- AI scanning your code, your network, your entire digital footprint for vulnerabilities your human team would never identify
Your employees are simultaneously introducing risk without realising it. Every time someone pastes confidential data into a public AI tool, that is a potential data leak. Every time AI-generated code from an untrusted source gets deployed, that is a potential vulnerability. They are not trying to cause problems, but they are. And you have no visibility into it.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
What is AI-vs-AI security, and why did Surf AI raise $57 million?
The market has already reached its conclusion: you cannot fight an AI-driven attack with a human-only security team.
Surf AI just launched with $57 million in funding. Their entire model is built on one idea, deploy AI agents to fight AI-driven attacks. The venture capital community is not betting on this because it sounds compelling in a pitch deck. They are betting on it because there is no viable alternative.
You can't send a cavalry charge against a squadron of F-35s. The only way to fight AI is with AI.
An AI-powered defence can:
- Spot subtle anomalies in network traffic that signal a novel attack, the kind no human analyst would catch at speed
- Identify and isolate a compromised account before it is used for lateral movement across your network
- Predict where an attacker is likely to strike next based on observed behavioural patterns
Human teams cannot do that at the required speed or scale. AI does not sleep. It does not get fatigued. It processes billions of data points in fractions of a second and responds at machine speed. If your security strategy has no significant AI component, you are not just behind the curve, you are not even in the race.
Why are 63% of UAE CIOs already worried about an AI trust crisis?
In the UAE, one of the most aggressive AI adopters in the world, 63% of CIOs are already concerned that an AI explainability failure could trigger a trust crisis. Not a technical failure. An explainability failure.
The logic is simple and brutal: if you cannot explain how your AI works, you cannot fully secure it. And if you cannot secure it, your customers will not trust it.
Imagine trying to explain to your customers that their data was stolen by an AI you do not fully understand. Imagine telling your board there has been a significant security breach, but you cannot explain exactly how it happened or how to close the gap. The reputational damage is catastrophic. The regulatory fines will be crippling. The loss of customer loyalty can be permanent.
An insecure AI is an unexplained black box. A business built on an unexplained black box has a trust problem it cannot explain away. Trust is the currency of modern business, and right now, a lot of businesses are quietly going bankrupt on it without knowing it.
Are you compliant, but not actually secure?
There is a dangerous gap between compliance and security. Most businesses are sitting squarely in it.
You have ticked the boxes. Firewall. Antivirus. Annual phishing training. You are compliant. But compliance frameworks were designed for a threat landscape that no longer exists. It is a sticking plaster on a severed artery, it might make you feel better, but you are still exposed.
Your employees are right now using AI tools to write emails, analyse data, and generate code. They are doing it because it makes them productive and efficient, and they are not wrong to do so. But you have limited visibility into what risks they are quietly introducing into your business. Each new AI tool integrated without a corresponding security strategy is another unmonitored gap in your perimeter.
The uncomfortable truth: you are compliant, but you are not secure.
What to do this week
- Audit your AI tool exposure. List every AI application your team uses, sanctioned or otherwise. Assess what data each one touches, who controls it, and whether it sends data outside your environment.
- Add an AI risk line to your next security review. Gartner's 50% prediction means this needs to be on the agenda at your next security review, not your next annual strategy day.
- Evaluate AI-native detection tools. Look at vendors whose detection is model-based rather than signature-based. The Surf AI raise of $57 million signals clearly where the market is moving.
- Start the explainability conversation. For every AI system you operate, ask: "Can we explain how this works if something goes wrong?" If the answer is no, that is a governance gap that needs closing before a regulator or a breach closes it for you.
- Treat employee AI use as a security surface. Shadow AI is already happening inside your organisation. Get ahead of it with clear policy and appropriate tooling before an incident forces the conversation at the worst possible moment.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Running an event? Put practical AI on your stage.
Keynotes and workshops that send business owners home with a plan they can use Monday morning. No hype.
Frequently asked questions
What is Gartner's prediction about AI and cybersecurity by 2028?
+
Gartner predicts that by 2028, 50% of all enterprise cybersecurity incident response will be focused on incidents involving custom-built AI applications. That means half your security team's time and budget will be consumed by a category of threat that barely existed a few years ago.
How are attackers already using AI against businesses?
+
Attackers are using generative AI to create polymorphic malware that changes its code with every execution, reinforcement learning to probe and adapt to network defences in real-time, and AI-generated deepfakes to impersonate executives for fraudulent wire transfers. Spear-phishing emails are also being crafted by AI using data scraped from compromised accounts.
What is Surf AI and why did it raise $57 million?
+
Surf AI is a startup that launched with $57 million in funding built entirely around using AI agents to fight AI-driven cyberattacks. The raise signals a broader market recognition that human-only security teams cannot compete against autonomous, AI-powered threats.
Why are UAE CIOs worried about an AI trust crisis?
+
In the UAE, 63% of CIOs are concerned that an AI explainability failure, not a technical failure, but an inability to explain how an AI system reached its decisions, could trigger a customer trust crisis. If you cannot explain your AI, you cannot fully secure it, and if you cannot secure it, customers will not trust it.
What is the difference between being compliant and being actually secure?
+
Compliance means meeting a defined minimum standard, firewalls, antivirus, phishing training. Security means being protected against current threats. Most businesses are compliant but not secure, because the threat landscape has evolved faster than the compliance frameworks designed to measure it.
Can a human-only security team defend against AI-powered attacks?
+
No. AI-driven attacks can launch simultaneous personalised attacks at machine speed, adapt in real-time to defences, and process data at a scale no human team can match. AI-native detection and response tools are now a prerequisite, not a nice-to-have.
How does shadow AI use by employees create security risk?
+
Every time an employee pastes confidential data into a public AI tool, that is a potential data leak. Every time AI-generated code from an untrusted source gets deployed, that is a potential vulnerability. Employees are not acting maliciously, but without visibility and policy, each unsanctioned AI tool is an unmonitored entry point.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
