CISOs must prepare for "a really different world" where cybercriminals can reliably automate cyberattacks at scale, according to a senior Googler.

Heather Adkins, veep of security engineering at the ad and cloud giant, [1]said it probably won't be for a few years to come, but cybercriminals are already using AI to enhance small parts of their workflows, and it won't be long before a full, end-to-end toolkit is developed.

In a conversation held on the Google Cloud Security podcast, Adkins pointed out that crooks are already using AI for small tasks - grammar, spell-checking phishing copy and other productivity enhancements.

[2]

"It's just a matter of time before somebody puts all of these things together, end-to-end," she said. "And what I fear the most is somebody developing the capability to prompt a model to hack any company, and the model being able to come back in a week with a root prompt. If that ends up happening, I think it'll be a slow ramp over the next six to 18 months.

[3]

[4]

"We're also seeing defense pick up the same tools and use them for the same purposes, so it may not feel as shocking. Of course, things could go very differently, but these are the things that should be on everyone's mind and we should be getting ready for a really different world."

Google Threat Intelligence Group (GTIG) published an [5]overview of the most recent developments in how attackers are experimenting with AI, noting that malware families are already using LLMs to generate commands in order to steal victim data.

[6]

Sandra Joyce, VP at GTIG, added that China, Iran, and North Korea are all abusing AI tools to aid different stages of their respective attacks. These include initial network reconnaissance and C2 development, as well as the aforementioned phishing copy and data-stealing commands.

The fear among senior Googlers is that these small components will be chained together and provide similar functionality to today's exploit kits.

Anton Chuvakin, security advisor at Google's office of the CISO, said: "To me, the more serious threat isn't the APT, it's the Metasploit moment [when exploit frameworks became easily accessible 20 years ago]. I worry about the democratization of threats."

[7]

Exploit kits such as [8]Metasploit and [9]Cobalt Strike started out as legitimate pentesting tools, but cracked versions soon made their way into attackers' hands, making their post-compromise lives significantly easier. Experts fear a similar end once AI-powered toolkits are acquired by the wrong people.

For Adkins, a worst-case scenario of an AI-enabled attack could look something like a [10]Morris worm -type event that spreads an autonomously executing ransomware toolkit, encrypting computers en masse, for example.

[11]Davos discussion mulls how to keep AI agents from running wild

[12]Curl shutters bug bounty program to remove incentive for submitting AI slop

[13]AI framework flaws put enterprise clouds at risk of takeover

[14]Yes, criminals are using AI to vibe-code malware

"Or it could look something like the [15]Conficker worm that didn't really do anything, but everybody still panicked and wrote thousand-page government reports on it," she added.

"Maybe an altruistic person unleashes it on the world and it patches a bunch of bugs. It really just depends on who puts the pieces together, and their motives."

As for now, LLMs are still struggling with the basics. From [16]discerning right from wrong , to more technical wrinkles like being unable to switch from strange thought paths when looking for vulnerabilities, AI requires some progress before we see the best or worst of it.

However, when or if that day comes, attackers may gain an even greater first-mover advantage over defenders. When criminals can prompt an AI tool to compromise a given organization, leaving the victim little time to respond, that could force the good guys to redefine success in the post-AI era.

Post-AI cyber success may not be measured by whether an attacker breaks into a network, but by how long they are inside, and by how little damage they can cause.

Adkins said that in a cloud context, AI-enabled defenses should simply turn off an instance if it detects malicious activity, but implementing these systems will have to be done carefully so as not to cause problems.

"We're going to have to put these intelligent reasoning systems behind real-time decision-making and disrupt decision-making on the ground, without causing reliability problems," she said. "Maybe you need human approval. Or you shut down one instance and turn up another one.

"There are options other than just the on/off switch, but we have to start reasoning about real-time disruption capabilities or degradation, and use the whole information operations playbook to change the battlefield to confuse AI attackers. Particularly because they're stumbling around in the dark a little bit and may be less resilient than human attackers." ®

Get our [17]Tech Resources



[1] https://cloud.google.com/transform/truths-about-ai-hacking-every-ciso-needs-to-know-qa

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXP9khDWmm5mFOdf0fwNPQAAA4U&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9khDWmm5mFOdf0fwNPQAAA4U&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9khDWmm5mFOdf0fwNPQAAA4U&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-recent-advances-in-how-threat-actors-use-ai-tools

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9khDWmm5mFOdf0fwNPQAAA4U&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9khDWmm5mFOdf0fwNPQAAA4U&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2017/02/03/metasploit_hardware_upgrade/

[9] https://www.theregister.com/2024/07/04/europol_cobalt_strike_crackdown/

[10] https://www.theregister.com/2013/11/04/morris_worm_anniversary/

[11] https://www.theregister.com/2026/01/21/davos_ai_agents_security/

[12] https://www.theregister.com/2026/01/21/curl_ends_bug_bounty/

[13] https://www.theregister.com/2026/01/20/ai_framework_flaws_enterprise_clouds/

[14] https://www.theregister.com/2026/01/08/criminals_vibe_coding_malware/

[15] https://www.theregister.com/2009/03/30/conficker_signature_discovery/

[16] https://www.theregister.com/2026/01/08/uk_regulators_swarm_x_after/

[17] https://whitepapers.theregister.com/