AI vs. AI: the arms race in cyber space

Key points

While digitization boosts productivity, it also escalates cyber threats. Generative AI is enabling more sophisticated, faster, and harder-to-detect cyberattacks.
Rising geopolitical tensions, particularly involving Russia, China, and North Korea, are intensifying cyber warfare. State-sponsored groups like Volt Typhoon and APT44 are targeting critical infrastructure with advanced malware.
Weekly cyberattacks per organization surged 44% in 2024, with average breach costs reaching USD 4.88 million globally (excluding the US) and USD 9.36 million in the US alone.
AI-powered tools are emerging as the most effective countermeasure, enabling real-time threat detection, anomaly spotting, and automated incident response.
As cyber threats grow in scale and complexity, demand for AI-integrated security solutions is likely to rise.

One of the structural growth drivers underpinning our security and safety investment theme is the ongoing digitization of society. While this trend has brought about information accessibility, productivity gains and operational efficiencies, it has also introduced a new wave of IT security challenges. The boundaries between conventional warfare and cyber conflicts are increasingly blurred, with AI-powered cyberattacks evolving rapidly in both scale and sophistication.

Amid a volatile geopolitical landscape, state-sponsored cyberattacks are becoming more aggressive and technically advanced. For instance, last year US officials accused ’Volt Typhoon,’ a China-backed hacker group, of attempting to infiltrate American computer networks with the intent to disrupt critical infrastructure such as water, electricity, or transportation during a future conflict.^1��The FBI has since issued a public appeal for information and is offering a USD 10 million reward to help identify those responsible.²

The rise of AI-driven threats

A recent survey of over 1,800 IT decision-makers across the US, Europe and Australia found that 77% believe geopolitical tensions have heightened the threat of cyber warfare, up from 41% in 2024. Furthermore, 72% fear that nation-state cyber capabilities could escalate into a full-scale cyberwar.^3��Such operations, often involving destructive malware,⁴ aim to target critical infrastructures, disrupt essential services and sow chaos. Examples include:

Void Manticore, an Iranian hacker group linked to the Ministry of Intelligence and Security (MOIS), deployed ’No-Justice Wiper’ malware to erase data and disrupt services in Albania and Israel.⁵
APT44 (also known as ’Sandworm’), a Russian-affiliated group, launched AcidPour to compromise Ukrainian infrastructure and exfiltrate sensitive military data.⁶
Volt Typhoon, associated with China, focuses on long-term infiltration of critical systems to gather intelligence and establish latent disruption capabilities.⁷

Survey respondents identified Russia, China and North Korea as the top state-sponsored cyber threats, potentially utilizing AI-tools to identify vulnerabilities and conduct cyberattacks (Fig. 1). Interestingly, over half (51%) view China as a greater risk than Russia. More than 72% believe these actors have the potential to trigger a full-scale cyberwar with severe consequences for critical infrastructure.⁸

Bar graph depicting answers to a survey question about dominant state-sponsored threats, with Russia, China, and North Korea leading the ranking.

The cost of inaction

The proliferation of AI, particularly generative AI (GenAI) with its natural language interface and coding capabilities, is a double-edged sword. While it offers powerful tools for innovation, it also enables attackers to craft more convincing phishing campaigns and automate malware development, making cyberattacks faster and harder to detect.

According to Gartner, by 2027, over 40% of AI-related data breaches will stem from improper use of GenAI, particularly due to unintended cross-border data transfers and insufficient oversight. For example, sensitive prompts sent to AI tools hosted in unknown jurisdictions could inadvertently expose critical data.⁹ Key statistics underscore the urgency:

The average number of weekly cyberattacks per organization reached 1,624 in 2024, a 44% increase from 2023.¹⁰
The global (excluding the US) average cost of a data breach climbed to USD 4.88 million compared to the previous year (a 10% increase), with US breaches averaging nearly double at USD 9.36 million.¹¹
The average breakout time – the time it takes for an attacker to move laterally within a network – is just 48 minutes. In some cases, it has taken as little as 51 seconds.¹² Nearly 20% of data exfiltration occurs within the first hour of compromise,¹³ leaving little time for human intervention, which highlights the need for real-time detection and AI-powered response capabilities.

A simulation by Unit 42 (part of Palo Alto Networks Inc.) demonstrated that GenAI-assisted ransomware attacks reduced the time to data exfiltration from two days to just 25 minutes (Fig. 2). While lab-based, the findings highlight that AI can rapidly shorten the progression from reconnaissance to exploitation (’time-to-impact’), compressing the window for effective response.¹⁴

Figure 2: The speed of a simulated ransomware attack, with and without using AI-assisted techniques

AI-assisted ransomware attack takes 25 min, while without AI it may take up to 2 days. — Source: Palo Alto Networks (2025): Global Incident Response Report 2025, p. 17.

Visual representation of AI-assisted ransomware attack taking 25 min compared to one without using AI, which may take even 2 days.

AI as the shield

Despite its risks, AI also offers the most promising solutions to today’s cybersecurity challenges. Several AI-driven technologies are already reshaping the defensive landscape:

Incident response: AI can detect and mitigate threats, enabling faster recognition, autonomous responses, dynamic learning and efficient alert management. IBM reports that AI adoption can significantly reduce the time to contain a security breach.¹⁵
Anomaly detection and zero-day defense: By continuously analyzing network traffic and used behavior, AI can identify deviations from historical patterns and detect emerging threats before they escalate.¹⁶
Reat-time intrusion detection: AI-powered systems can dynamically adjust detection methods,¹⁷ making it harder for threats to remain undetected.
AI-based security orchestration, automation and response (SOAR): these platforms streamline incident handling by isolating compromised systems and instantly alerting IT-security teams, minimizing damage and preventing deeper infiltration.¹⁸

From risk to resilience

The cybersecurity landscape is evolving into a high-speed contest between adversaries and defenders – both increasingly reliant on AI. While malicious actors exploit GenAI to enhance their capabilities, security professionals are deploying the same tools to stay ahead. The arms race in cyberspace is intensifying.

While AI contributes to the threat landscape, it is also central to the solution. AI-powered threat intelligence is transforming cybersecurity by enabling proactive risk detection and mitigation, allowing organizations to counter AI-driven attacks with equally advanced defenses. This has created a high-speed, machine-to-machine dynamic in which AI systems are continuously engaged in both offense and defense. Advanced capabilities such as surface and darknet monitoring, purpose-configured honeypots¹⁹ and human intelligence provide a critical edge, helping companies and governments stay ahead of emerging threats.

As digitization accelerates, enhancing the resilience of critical IT security infrastructure has become an urgent priority. As a result, attractive investment opportunities are likely to arise particularly in leading cybersecurity companies that are embedding GenAI capabilities into their service offering.

^1.��CISA (2024): PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, 7.2.2024, media release,
^2. FBI (2025): FBI Seeking Tips about PRC-Targeting of US Telecommunications, media release,
^3. Armis Labs (2025): The state of cyberwarfare – Warfare without borders, p. 6,
^4. A wiper is malware that deletes or destroys an organization’s access to files and data. This type of malware is commonly used as a tool for destruction and disruption since the loss of critical information could make it impossible for an organization to maintain business operations or carry out certain actions ( Checkpoint Software,
^5. Checkpoint Software (2024): Bad Karma, No-Justice: Void Manticore destructive activities in Israel, media release,
^6. SentinelOne (2024): AcidPour: New embedded Wiper variant of AcidRain appears in Ukraine, media release,
^7.Microsoft (2023): Volt Typhoon targets US critical infrastructure with living-off-the-land techniques, 24.5.2023, media release,
^8. Armis Labs (2025): The state of cyberwarfare – warfare without borders, p. 7,
^9. Gartner (2025): Lack of Consistent Global AI Standards Forces Enterprises to Develop Region-Specific Strategies, Limiting AI Scalability and Benefits, 17.2.2025, ., 28.4.2025.
^10. Checkpoint Software (2025): The state of cyber security 2025, p. 34,
^11. IBM (2024): Cost of a Data Breach Report 2024, July 2024, p. 9,
^12.CrowdStrike (2025): CrowdStrike 2025 Global Threat Report, p. 9,
^13. Palo Alto Networks (2025) : Global Incident Response Report 2025, p. 14,
^14. Palo Alto Networks (2025): Global Incident Response Report 2025, p. 17,
^15.IBM (2024): Cybersecurity in the era of generative AI, April 2024, p. 10,
^16.Source: Fortinet (2025): Artificial Intelligence (AI) in cybersecurity,
^17.DataGuard (2025): How intrusion detection systems help identify cyber threats in real-time,
^18.Palo Alto Networks (2025): What is SOAR? blog,
^19.A honeypot is a decoy system set up to attract and trap cyber attackers, allowing security teams to study their behavior and improve defense (Fortinet 2025): What Are Honeypots (Computing)?,

S-06/25 M-001418

About the author

Dr. Patrick Kolb
Senior portfolio manager, Thematic Equities
Patrick Kolb (PhD), Managing Director, has been a Senior Portfolio Manager for the Security Equity strategy since 2007. In 2005, he joined Credit Suisse Asset Management, now part of �۶��Ƶ Group, where he initially focused on the industrials and technology sectors. Patrick graduated from the University of Zurich with a major in Finance and then worked as a research assistant at the Institute of Banking and Finance at the University of Zurich before earning his PhD in Financial Economics.