Why cyber espionage detection keeps failing—and how AI is making it worse

The Watchers Who Cannot See

Every major cyber espionage campaign discovered in the past five years shares one humiliating detail: someone else found it first. In 2023, 54% of breaches were detected not by the victim’s own security tools but by outside parties—partners, law enforcement, or the attackers themselves announcing their presence. Defenders spend billions on detection systems that function, in practice, as elaborate mirrors: they show organizations a reflection of threats they already understand, while adversaries operating outside the frame pass unnoticed.

Now add artificial intelligence to the attacker’s toolkit, and the mirror grows darker still.

The capability gap between AI-enhanced offensive reconnaissance and conventional detection is not a crack in the wall. It is a structural misalignment—one where the foundational assumptions of modern cyber defence were designed for a threat that no longer exists.

Built for the Wrong War

Modern detection architecture rests on three pillars: signatures, behaviours, and logs. Endpoint detection and response (EDR) systems watch for known malicious patterns. Behavioural analytics flag deviations from baseline activity. Security information and event management (SIEM) platforms aggregate log data and correlate events across an enterprise. Together, they form what the industry calls “defence in depth.”

Each pillar assumes something about the attacker. Signatures assume adversaries reuse tools. Behavioural analytics assume intrusions generate statistical anomalies. SIEM systems assume relevant evidence will appear in log data within the retention window. Against commodity threats—ransomware gangs recycling known exploits, script kiddies deploying off-the-shelf malware—these assumptions hold.

Against a nation-state espionage service using AI to generate novel tooling, mimic legitimate user behaviour, and operate on timescales that exceed log retention? The assumptions collapse.

Consider the temporal problem alone. Most SIEM platforms retain detailed log data for 30 to 90 days. Some enterprise deployments stretch to a year. Espionage campaigns routinely run for 200 days or more before detection, with some breaches involving stolen credentials averaging 150 days before discovery. The forensic evidence of initial compromise has often been deleted by automated retention policies before anyone knows to look for it. Defenders reconstruct intrusions from fragments—trying to read a novel from which the first eight chapters have been shredded.

This is not a software bug. It is an economic choice. Storing comprehensive log data costs money. Organisations make rational decisions about retention windows based on compliance requirements and budget constraints, not on the operational tempo of Chinese intelligence services. The result: detection systems are temporally blind to the very campaigns they most need to find.

The problem deepens with living-off-the-land techniques. Groups like Volt Typhoon avoid deploying custom malware entirely, instead using legitimate system tools—PowerShell, WMI, built-in remote access—to move through target networks. As Mandiant’s 2024 report stated, “Attackers are focusing more on evasion. They are aiming to avoid detection technologies (such as endpoint detection and response) and maintain persistence on networks for as long as possible, either by targeting edge devices, leveraging ‘living off the land’ and other techniques, or through the use of zero-day vulnerabilities.” When the weapon is indistinguishable from the workplace, every alert is either a false positive or the beginning of a catastrophe. Security operations centres cannot tell which.

Intelligence at Machine Speed

Fifty-seven distinct threat actors from China, Iran, North Korea, and Russia used AI technology in 2024 for tasks ranging from debugging malware to generating phishing content and conducting intelligence gathering. That number captures only actors identified by two companies—Google and OpenAI—using their own platforms. The actual figure is unknowable.

What AI gives the attacker is not a new weapon. It is speed and scale applied to every existing one.

Reconnaissance—the painstaking process of mapping a target’s network topology, identifying key personnel, cataloguing software versions, and discovering exploitable vulnerabilities—has historically been the slowest phase of a cyber operation. A skilled human operator might spend weeks studying a target. An AI-augmented adversary compresses that timeline to hours. Large language models generate bespoke phishing lures in flawless idiomatic English, eliminating the grammatical tells that trained employees once spotted. Machine learning models identify vulnerability patterns across codebases faster than any human analyst. Automated scanning tools, guided by AI-driven targeting logic, probe thousands of internet-facing assets simultaneously while varying their behaviour to avoid triggering rate-based detection rules.

The IBM assessment of offensive AI capabilities catalogues four acceleration domains: code generation for malicious purposes, automated scanning and exploitation, social engineering enhancement, and payload customisation. Each compounds the others. AI-generated code evades signature detection because it has never been seen before. AI-customised payloads adapt to the specific software stack of each target. AI-crafted social engineering exploits the particular organisational context of each victim, informed by AI-processed open-source intelligence scraped from LinkedIn profiles, conference presentations, and procurement records.

One tool illustrates the trajectory. “Villager,” built on the DeepSeek AI model, was downloaded over 17,000 times in 2024. It automates attack sequences end-to-end. This is not a theoretical risk paper or a conference demonstration. It is an operational capability distributed at scale.

The asymmetry cuts deepest in what might be called the reconnaissance-detection inversion. Traditional detection relies on the attacker leaving traces—network scans that trigger alerts, malware that matches signatures, lateral movement that deviates from behavioural baselines. AI-enhanced reconnaissance minimises each of these traces. Scans that once resembled a burglar rattling every door handle now resemble a postman walking a familiar route. The attacker blends into the pattern of normal operations because AI has already learned what normal looks like.

Worse, the act of detection itself leaks information. Every alert rule, every SIEM correlation, every behavioural threshold tells a sophisticated adversary what the defender is watching—and, by extension, what remains unwatched. The more sophisticated the detection, the more it advertises its own blind spots. This creates a feedback loop in which improving defence paradoxically refines offence.

Where the Gap Bites Hardest

Three domains concentrate the vulnerability.

Cloud infrastructure presents a visibility problem that grows with adoption. On-premises networks generate traffic that defenders can inspect. Cloud environments—especially multi-tenant, multi-provider architectures—fragment visibility across control planes, data planes, and application layers that no single monitoring tool covers comprehensively. Network monitoring blind spots proliferate where east-west traffic between cloud services bypasses traditional perimeter sensors. An AI-directed adversary operating within a compromised cloud tenant generates activity indistinguishable from legitimate API calls, because it is legitimate API calls—using stolen credentials to access resources the compromised identity was authorised to reach.

Telecommunications networks represent the crown jewels that everyone assumes someone else is protecting. Salt Typhoon’s 2024 campaign against American telecoms demonstrated that adversaries can operate inside the infrastructure that carries the nation’s communications while detection systems optimised for enterprise IT networks see nothing. Telecom architectures predate modern security instrumentation. Retrofitting detection into SS7 signalling networks and 5G core infrastructure involves re-engineering systems designed for reliability, not security.

Edge devices—the SOHO routers, VPN appliances, and IoT sensors that sit at the boundary between monitored and unmonitored space—provide the attacker’s preferred entry point precisely because they occupy the negative space of enterprise security architecture. These devices run stripped-down operating systems, lack EDR agents, generate minimal logs, and receive infrequent patches. They are the service tunnels of the digital estate: unglamorous, under-maintained, and offering direct access to everything behind the front door.

Across all three domains, a common pattern emerges. Defenders optimised their tools and processes against the threat that generates revenue for security vendors: ransomware. The economics of the security market reward fast detection of loud, disruptive attacks that encrypt files and demand payment. Espionage—quiet, patient, designed to extract intelligence without the victim ever knowing—generates no incident response retainer, no breach notification, no insurance claim. The market does not reward detecting what it cannot price.

Ransomware median dwell time fell to five days in 2023. Espionage dwell time remained measured in months. The divergence is not accidental. It reflects where money flows.

The SOC That Cried Wolf

Inside the security operations centre, the human dimension of the gap manifests as triage paralysis. Analysts face thousands of alerts daily. The overwhelming majority are false positives or low-priority findings. Defenders focus on high-severity alerts as a survival mechanism, creating an environment where AI-enhanced reconnaissance—designed to operate below severity thresholds—moves unnoticed through the space between alarms.

Threat hunting—the proactive, human-driven search for adversaries who have evaded automated detection—offers the best available countermeasure. But it demands skills in chronic short supply. The cybersecurity workforce gap exceeds 3.4 million positions globally. Qualified threat hunters represent a fraction of that shortage. Organisations that cannot staff basic SOC analyst positions are not conducting sophisticated hypothesis-driven hunts for AI-enhanced nation-state intrusions.

The skills gap compounds a knowledge asymmetry. An AI system assisting an attacker improves with every operation, accumulating tradecraft across campaigns and targets. Defenders, bound by classification barriers, organisational silos, and legal constraints on information sharing, learn slowly. The SolarWinds breach revealed that legal barriers, cultural disincentives, and lack of visibility into privately owned infrastructure prevented the US government from detecting a compromise affecting 18,000 entities for months. The intelligence community’s instinct toward secrecy—justified by source protection—directly degrades the collective defensive posture.

Here lies the structural irony. The agencies best positioned to understand AI-enhanced espionage threats—NSA, GCHQ, their Five Eyes counterparts—are also the agencies whose offensive equities create institutional reluctance to share what they know. Rob Joyce, who directed NSA’s Cybersecurity Directorate until his retirement in March 2024, spent his career embodying this tension: a former head of Tailored Access Operations who understood attacker tradecraft intimately and pushed for greater transparency, yet operated within an organisation whose culture defaults to classification. The result is that defensive knowledge circulates too slowly through bureaucratic channels while offensive capabilities distribute at the speed of a GitHub download.

What Breaks Next

Without intervention, three dynamics converge over the next 24 months.

First, agentic AI transforms the cyber kill chain from a sequence into a branching tree. Current AI tools assist human operators. The next generation will conduct autonomous multi-stage operations—scanning, exploiting, establishing persistence, exfiltrating—without human guidance at each step. Detection systems built to identify human-paced operations will face machine-speed campaigns that complete their objectives before the first alert fires.

Second, the defender’s AI deficit widens. Security vendors deploy machine learning for anomaly detection and automated triage. But defensive AI faces a harder problem than offensive AI. Attackers need to find one path through defences. Defenders must cover all paths. Attackers define their own success criteria. Defenders must satisfy regulatory, legal, and operational requirements simultaneously. An AI-generated phishing email needs only to fool one person. An AI-powered detection system must correctly classify millions of events per day with near-zero false negative rates while maintaining tolerable false positive rates. The asymmetry is architectural, not merely tactical.

Third, the economic incentives continue to misalign. Cyber insurance, the emerging market mechanism for pricing risk, rewards compliance with frameworks and checklists. It does not reward—and cannot yet measure—the ability to detect a novel AI-enhanced espionage campaign. Until insurers can differentiate between organisations performing security and organisations achieving it, the gap between security theatre and genuine protection will persist.

The most probable outcome is not a dramatic failure but a slow accretion of undetected compromises. Intelligence services will extract strategic advantages from telecommunications, defence contractors, and government networks for years before detection—if detection comes at all. The damage will be measured not in ransoms paid but in negotiations lost, weapons systems compromised, and policy positions anticipated by adversaries who read the drafts.

Narrowing the Aperture

Three intervention points offer genuine leverage. None is painless.

Mandatory minimum log retention for critical infrastructure. If espionage campaigns operate on 200-day timescales, 90-day retention windows guarantee forensic blindness. The US government should require critical infrastructure operators to retain comprehensive log data for a minimum of 18 months, with federal subsidies for storage costs. The trade-off: storage is expensive, compliance burdens fall disproportionately on smaller operators, and longer retention creates larger data stores that themselves become espionage targets. But the alternative—investigating intrusions from which the evidence has been auto-deleted—is worse.

Declassification pipelines for offensive tradecraft. The NSA and its partners possess unmatched understanding of how AI-enhanced reconnaissance operates, because they conduct it. CISA should establish a standing declassification review process—modelled on the Cybersecurity Directorate’s unclassified threat-sharing mission—that converts offensive insights into defensive signatures within weeks, not years. Anne Neuberger’s experience building NSA’s Cybersecurity Directorate, a 4,000-person unclassified organisation, demonstrates this is organisationally possible. The trade-off: faster declassification risks burning sources and methods, and intelligence agencies will resist. But defensive knowledge that arrives after the campaign is over is intelligence trivia, not security.

Economic incentives that reward espionage detection. Regulators and insurers should create mechanisms that distinguish between organisations detecting sophisticated intrusions and those merely achieving compliance. Tax incentives for mature threat-hunting programmes, insurance premium reductions for demonstrated detection capability (not just tool deployment), and liability protections for organisations that share threat intelligence would begin to redirect market forces. The trade-off: measurement is hard, gaming is inevitable, and the compliance-industrial complex will lobby fiercely to preserve the profitable status quo.

The honest assessment: the first intervention is likely, the second is possible, and the third is optimistic. What will actually happen is incremental improvement in automated detection, continued expansion of AI-enhanced offensive capability, and a growing inventory of undetected compromises whose consequences surface only when it is far too late to prevent them.

Frequently Asked Questions

Q: Can AI-powered security tools close the gap against AI-enhanced cyber attacks? A: Defensive AI improves triage speed and anomaly detection but faces a structural disadvantage: attackers need to find one path through defences while defenders must cover all paths simultaneously. AI helps defenders process more data faster, but the attacker’s problem is inherently easier than the defender’s.

Q: How long do cyber espionage operations typically go undetected? A: While the global median dwell time fell to 10 days in 2023, that figure is skewed by ransomware (detected in five days because attackers announce themselves). Espionage-focused intrusions routinely persist for 150 to 200 days or more, and some are never detected at all.

Q: What is living off the land in cyber security? A: Living off the land refers to attackers using a target’s own legitimate tools—PowerShell, Windows Management Instrumentation, built-in remote access features—instead of deploying custom malware. This technique defeats signature-based detection because the “weapons” are standard system utilities present on every machine.

Q: What is the biggest cybersecurity threat from AI in 2025? A: The most significant near-term threat is AI-automated reconnaissance and social engineering at scale. Tools like “Villager,” downloaded over 17,000 times in 2024, automate entire attack sequences. The shift from AI-assisted to AI-autonomous offensive operations will compress attack timelines below the threshold of human-speed detection.

The Familiar Pattern

In December 1941, the US Navy had the signals intelligence to anticipate the attack on Pearl Harbor. The data existed. The analytical frameworks did not. Organisational structures prevented synthesis. The warning arrived after the bombs.

The parallel to SolarWinds is not exact—no parallel ever is—but the failure mode rhymes. Detection infrastructure generates more data than ever. AI-enhanced adversaries operate within it, not around it. The signals are present. The architectures that might interpret them are not.

The question for Western governments is whether they will restructure detection before the next strategic compromise surfaces, or after. History suggests after. The cost of that delay is not measured in dollars. It is measured in the decisions adversaries make with intelligence their targets never knew was stolen.

Sources & Further Reading

The analysis in this article draws on research and reporting from:

• Mandiant M-Trends 2024 Special Report - Primary source for dwell time statistics, detection source breakdowns, and attacker evasion trends
• OpenAI Threat Intelligence Report, October 2024 - Documentation of 57 threat actors using AI platforms for offensive cyber operations
• Recorded Future 2024 Annual Report - Analysis of AI-enabled attack tools including the “Villager” platform
• Proofpoint: Living Off the Land Attacks - Technical explanation of LOTL techniques and detection challenges
• CISA/NSA Joint Guidance on Deploying AI Systems Securely - Five Eyes framework for AI security deployment
• SentinelOne: Signature-Based vs. Behavioral AI Detection - Comparison of detection methodologies and their limitations
• IBM X-Force: Understanding the Future of Offensive AI - Assessment of AI-enhanced offensive capability domains
• LiveAction: Telemetry Gaps and Network Blind Spots - Analysis of visibility gaps in modern network monitoring

Related Reading

• China has penetrated Taiwan's military. Does that make US intelligence sharing dangerous?
• How China could neutralise US bases in Australia without firing a shot
• Has Chinese espionage already crippled Taiwan's military before the war begins?