Five Eyes AI Warning: How Security Leaders Can Prepare
Back to top
July 1, 2026
Five Eyes AI Warning: How Security Leaders Can Prepare
On June 22, 2026, the Five Eyes cybersecurity agencies, including CISA, the NSA, and the UK's NCSC, issued a joint statement, “The AI Shift in Cyber Risk: Why Leaders Must Act Now.”
Their message is direct. AI is changing the threat faster than most can keep up, on a timeline of months, not years.
What sets the statement apart is its audience. Aimed at boards and executives more than security teams, it reframes cyber resilience as a core business risk tied to continuity, market confidence, and long-term value.
Having controls is not the same as knowing they will hold. The agencies want leaders confident their defenses will perform in a real incident, with an attacker already inside.
The statement also does something its peers rarely do. It calls on industry, naming vendors specifically, to act now and work alongside government.
The principles shaping cyber priorities
The Five Eyes statement sets out three core principles. The first is secure-by-design and secure-by-default, or building security in from the start rather than bolting it on. It's an architecture and development discipline, and the right place to act on it is upstream, well before anything reaches production.
The other two shape where defenders watch once systems are live. Resilience can't depend on a single tool – defense in depth remains essential – and new vulnerabilities, including zero-days, will keep emerging.
Both assume something will get through.
Defense in depth is table stakes
No single tool makes you resilient. The strength is in the layers working together, each covering for the others' weak spots. Endpoint, identity, and logging are all part of that, but each one has gaps: an agent that can’t be installed, a credential that looks valid, a log that was deleted.
Network detection and response (NDR) fills those gaps. Because every device and connection produces traffic, the network sees what the other layers can't.
Zero-days are inevitable
You can't protect your organization from a vulnerability that hasn't been disclosed yet.
While the exploit may be novel, the activity that follows rarely is. Lateral movement, privilege escalation, credential theft, and command-and-control traffic tend to follow predictable patterns even when the initial exploit is brand new. Monitoring for those behaviors catches attacks that traditional, signature-based tools miss.
This is what ExtraHop is built to do. Its machine-learning models baseline normal activity and flag the post-exploitation behavior on the wire, regardless of the vulnerability behind it. And when new intelligence lands, Automated Retrospective Detection re-scans stored network history against it. The moment a vulnerability surfaces, you can tell whether you were already hit.
Five actions to take now
Five Eyes lists five practical actions. The agencies are clear these aren't new ideas, but call them urgent now.
1. Reduce your attack surface
You can't shrink an attack surface you can't see, so it starts with an honest inventory – the thing most organizations are missing. The agencies ask leaders to limit unnecessary access and external connectivity, and to challenge whether systems need to be exposed at all.
The hard part isn't the principle; it's that the riskiest assets are usually the ones missing from the asset database: the unmanaged, forgotten, and end-of-life systems no one is tracking.This is where the network has an advantage, because every device reveals itself the moment it enters.
ExtraHop discovers and classifies assets from how they behave on the wire, including the ones that never make it into a CMDB, and shows what's exposed externally, what's talking to what, and where deprecated protocols and weak configurations still live. You can't isolate or harden an asset you don't know is there.
2. Accelerate patching processes
The agencies single out patching because AI is shortening the time between vulnerability discovery and exploitation, especially for operational systems on long maintenance cycles. But even an accelerated patch cycle has a floor: testing, change windows, and uptime requirements mean some systems can't be patched the moment a fix ships. Something has to defend the organizations in the meantime.
An exploitation attempt has to cross the wire whether or not the target is patched. Watching traffic shows both which exposed systems are being probed right now and which attacks are landing against the ones you haven't reached yet.
ExtraHop turns that visibility into action. It surfaces the systems under active threat so you patch those first, and it catches exploitation attempts against everything still unpatched. One layer closes the holes on a schedule, the other defends the holes still open.
3. Address legacy systems
Once a system is past end-of-life, the vendor stops shipping patches, so newly discovered vulnerabilities simply never get fixed. Often these are the systems running something the business still depends on, which means they can't be taken offline either, leaving an asset you can neither patch nor remove.
That's also the asset an agent-based tool can't help with, since old or unsupported platforms frequently can't run an agent at all.
The network sidesteps the problem entirely. It observes the system from the outside without anything installed on it. ExtraHop monitors these devices passively to catch anomalous or malicious activity the moment it appears. It's the same reason network visibility matters so much in OT and ICS environments, where touching a device isn't an option.
4. Review and strengthen identity and access controls
Strong authentication and tidy permissions matter, but they only govern who gets in, not what an identity does once it's inside. Attackers get through with stolen credentials, forged tickets, and privilege escalation that looks entirely legitimate to the systems being abused all too often. According to the 2026 Verizon DBIR, credential abuse appears in 39% of all breaches.
The way you catch them is by watching how those identities actually behave on the network and noticing when one deviates from its norm: reaching systems it never touches, requesting access it never needs, moving in ways that account never moves.
That behavior plays out on the network, where authentication and access happen in the open. ExtraHop sees the Kerberos, LDAP, and NTLM activity on the wire and flags deviations that signal credential theft and lateral movement, including DCSync-style replication abuse and Kerberoasting that identity logs alone can miss.
5. Prepare for incidents before they happen
Breaches will occur, so the measure of readiness is how fast you can contain one. That depends on starting from evidence instead of guesswork.
To move quickly, responders need to know what the attacker touched, where they moved, and what left the building while it's still unfolding. The problem is that the systems an attacker compromises are the same ones you'd turn to for answers, and logs can be deleted, disabled, or never collected in the first place.
The network is the one account of the incident an attacker can't quietly edit. Traffic that already crossed the wire is a matter of record, captured independently of any host. ExtraHop turns that into a continuous, high-fidelity record of activity, so the investigation starts from facts.
It's also where the boardroom question gets answered. When leaders ask whether the controls held, the network record is the independent source that can show them, rather than a status dashboard reporting on itself.
Using AI to defend at the speed of AI
The agencies are blunt that adversaries already use AI to move faster, and that defenders must use AI deliberately to strengthen defence, not just improve efficiency. The distinction matters.
Pointed at productivity, AI just helps a team clear its queue a little quicker; pointed at the threat, it changes what a team can catch. The bottleneck in defense was never the volume of alerts. It's spotting the handful of meaningful signals in an enormous amount of activity fast enough to act.
The network is where there's enough signal to make that pay off. Every device, identity, and connection leaves a trace in the traffic, which gives behavioral models a rich, continuous picture to learn normal from and flag deviation against.
ExtraHop applies machine learning and behavioral analytics to exactly that: a tokenized stream of network metrics feeds hundreds of behavioral models that score activity and surface threats in near real time, alongside a rules engine maintained by threat researchers. AI earns its place in defense the same way the Five Eyes frame it – by helping your team see what matters and act before the attacker finishes.
ExtraHop: Here to help you navigate the AI threat landscape
The response to AI-era risk is a shared one, and vendors are expected to bring something specific to it. The agencies closed by asking industry, vendors included, to act now and work together to protect our people and secure our future.
ExtraHop's contribution is specific, and it doesn't require ripping out what you already run. We give defenders an independent, network-level view that turns a wall of controls into something you can actually trust under fire. That is how a board finds out whether its defenses hold — before an attacker tests them for it.
Discover more

Key Takeaways
- Five Eyes agencies warn AI is compressing attacker timelines from years to months.
- No single control is enough; defense in depth requires layers that cover each other's blind spots.
- The network sees what endpoint, identity, and logging tools miss — including unmanaged and legacy assets.
- Credential abuse drives 39% of breaches; network visibility catches the behavior stolen credentials produce.
- Logs can be deleted. Network traffic can't — incident response starts from that record.








