AI-Orchestrated Cyberattacks: The Scaling Problem Is Gone

The most important shift in cybercrime right now isn’t “AI writes better phishing emails.” It’s that AI is starting to run larger portions of the attack workflow—recon, credential harvesting, exploitation, lateral movement, and data operations—fast enough that the old limiting factor (human time and talent) matters a lot less.

That’s the core argument in ThreatDown’s December 2025 article, AI-orchestrated cyberattacks—and it’s a wake-up call for any organization that still relies on “we’ll notice it in the morning” security. Let’s break down what ThreatDown reported, why it matters, and what to do without getting lost in hype.

Primary reference: ThreatDown (Malwarebytes), “AI-orchestrated cyberattacks” (Dec 9, 2025)
https://www.threatdown.com/blog/ai-orchestrated-cyberattacks/

ThreatDown frames 2025 as an inflection point: AI agents moved from helping with tasks to coordinating multi-step operations.

ThreatDown points to reporting from Anthropic describing two milestones involving an AI coding agent:

• August 2025: AI assisting scaled data extortion—supporting recon, credential harvesting, and automation across multiple targets. ThreatDown highlights Anthropic’s key takeaway that a single operator could approximate the output of an entire team (ThreatDown citing Anthropic).
• November 2025: AI orchestrating a cyber-espionage campaign—where humans set goals/guardrails, but AI agents handled the bulk of tactical execution across many targets with limited human involvement (again, ThreatDown citing Anthropic).

ThreatDown’s big point: attribution and target set are less important than the operational model—AI making attacks cheaper, faster, and more scalable.

ThreatDown’s most useful insight is that attackers historically had a scale constraint: skilled operators are scarce, and intrusions are time-consuming. AI agents change the economics.

ThreatDown notes that the power in these cases wasn’t exotic new malware. It was standard tools and familiar playbooks, linked together and executed at scale by agents.

In practical terms, that means defenders shouldn’t wait for “new tactics” to justify action. The tactics may look familiar; the tempo and volume won’t.

ThreatDown describes AI agents sustaining context over long sessions and executing actions at speeds no human team can match. Even if only part of that capability is available broadly, the defensive implication is immediate:

• More concurrent intrusions attempted
• Faster progression from foothold → privilege → impact
• Less time for humans to triage and contain

ThreatDown also calls out a real near-term limiter: hallucinations and operational errors. In the examples it cites, the AI sometimes overstated results or claimed to have data/credentials that didn’t actually work.

Here’s the catch: defenders shouldn’t interpret that as safety. Even with mistakes, the model still acts like a force multiplier, and the error rate is likely to drop as tools and models mature—exactly the direction ThreatDown warns about.

ThreatDown’s conclusion is refreshingly pragmatic: if malicious agents are using the same playbooks humans use, organizations should prepare for higher alert volume and faster response requirements, especially in Endpoint Detection and Response (EDR).

• Patch internet-facing systems aggressively (VPNs, edge appliances, web apps).
• Reduce exposed services and remove stale accounts.
• Enforce MFA everywhere (prioritize phishing-resistant methods for admins where feasible).

• Segment networks (even “imperfect” segmentation helps).
• Reduce standing privileges; use just-in-time admin where possible.
• Monitor for credential abuse patterns (new device sign-ins, impossible travel, abnormal privilege changes).

If alert volume rises and time-to-impact shrinks, you need:

• Clear containment runbooks (isolate endpoint, revoke sessions/tokens, rotate creds, block egress)
• Tested backups and restore procedures (including immutable/offline where possible)
• After-hours coverage—either internal or via a managed service model (which ThreatDown explicitly mentions via MDR in the article)

ThreatDown’s headline claim is the one leaders should internalize: sophisticated attackers used to struggle to scale; now they can “add agents,” and less-resourced actors can attempt bigger operations with AI support.

So the right mental model isn’t “AI will invent a new kind of hack tomorrow.” It’s: the same intrusion playbooks will hit you more often, faster, and with less warning.

• ThreatDown (Malwarebytes) reference article: https://www.threatdown.com/blog/ai-orchestrated-cyberattacks/
• ThreatDown/Malwarebytes here: 

Affiliate disclosure: This post contains an affiliate link. If you purchase through it, I may earn a commission at no additional cost to you.

As someone who loves Under Armour products, it was disheartening to learn about the recent data breach affecting the company. I was notified by both my password manager, Dashlane, and the "Have I Been Pwned" website, but I have not yet received any communication from Under Armour. This situation is concerning, especially after purchasing a pair of shoes online in November.

As a cybersecurity expert, I understand the importance of taking immediate and prudent steps to protect my personal information. Here are the actions I plan to take in response to this breach:

1. Change Passwords Immediately

• Update the password for my Under Armour account and any other accounts that may use the same credentials.
• Ensure the new password is strong and unique, combining uppercase and lowercase letters, numbers, and special characters.

2. Enable Two-Factor Authentication (2FA)

• If available, enable 2FA on my Under Armour account and any other accounts that support it. This adds an extra layer of security by requiring a second form of verification.

3. Monitor Financial Accounts

• Keep a close eye on my bank and credit card statements for any unauthorized transactions.
• Consider setting up alerts for transactions over a certain amount.

4. Use a Password Manager

• Continue using Dashlane to generate and store complex passwords for all my accounts.
• Regularly review stored passwords and update them as needed.

5. Check for Account Breaches

• Regularly check my email and associated accounts on "Have I Been Pwned" to see if any other breaches occur that may affect me.

6. Update Security Questions

• Change security questions and answers for my Under Armour account and any other accounts that may use similar questions.

7. Be Wary of Phishing Attempts

• Remain vigilant for any suspicious emails or messages that may attempt to exploit the breach.
• Avoid clicking on links or providing personal information unless I can verify the source.

8. Consider Credit Monitoring

• Look into enrolling in a credit monitoring service to receive alerts about any changes to my credit report.

9. Contact Under Armour

• Reach out to Under Armour's customer service to express my concerns and inquire about the breach and any steps they are taking to protect customers.

10. Stay Informed

• Follow cybersecurity news and updates regarding the breach to understand its implications and any further actions I may need to take.

Conclusion

Data breaches are a serious issue that can have lasting effects on individuals. By taking these steps, you can safeguard your personal information and mitigate the risks associated with data breaches. It's crucial for companies like Under Armour to communicate effectively with their customers during such events, and I hope to see improvements in their response protocols in the future.