The SANS Institute used its signature keynote at RSA Conference 2026 to issue its starkest warning yet: artificial intelligence now sits at the center of every major emerging attack technique. For the first time in the keynote’s long history, all five of the “Most Dangerous New Attack Techniques” carry an AI-driven component, marking a decisive shift in how cyber threats are created, executed, and scaled.
Moderated by SANS Technology Institute President Ed Skoudis, this year’s session emphasized the accelerating collision between the rising complexity of modern digital infrastructure and the speed at which AI is enabling attackers to operate. SANS experts warned that organizations now face a dual crisis of comprehension and response time.
“We would be lying to you if we pointed out a trend in attacks that did not involve AI. That is just where we are in this industry.”
— Ed Skoudis, President, SANS Technology Institute
Leading the list is the rise of AI‑generated zero‑day exploits, which have shifted from rare, resource‑intensive operations to inexpensive, widely accessible capabilities. Researchers have already demonstrated AI-discovered vulnerabilities for under $200 a development that could transform exploitation from targeted operations into broad‑scale campaigns.
“Attackers were already faster than us. AI has made the gap unbridgeable at our current pace.”
— Joshua Wright, SANS Fellow
Supply chain attacks continue to surge as well, fueled by AI‑generated malicious packages and poisoned update channels. SANS noted that hundreds of thousands of compromised components were pushed into open‑source ecosystems last year, threatening organizations through their vendors’ vendors.
Operational technology (OT) environments face a separate visibility crisis, with SANS Fellow Robert Lee highlighting that many critical‑infrastructure operators still lack the monitoring necessary to determine whether outages are accidental or malicious a blind spot exploited in multiple real‑world incidents.
“Most breaches don’t fail because of tools. They fail at decision points. AI cannot be the decision point.”
— Heather Barnhart, SANS Institute
Meanwhile, the rise of unvalidated AI tools in digital forensics and incident response poses new internal risks, as overreliance on automated interpretation can introduce hidden investigative errors.
Rounding out the list is the accelerating race toward autonomous defense, as attackers increasingly automate entire intrusion workflows. SANS’ new Protocol SIFT initiative aims to counter this by enabling human‑centered AI assistance that dramatically shortens investigation timelines.
