Frontier AI is Already Supercharging More Than Vulnerability Exploitation
Much of the discussion surrounding frontier AI and cybersecurity has focused on how to find and patch vulnerabilities faster than threat actors using frontier AI can find and exploit them. This concern is well founded because vulnerabilities remain one of the most effective ways for attackers to gain an initial foothold, and frontier AI is reducing the time, cost, and expertise required to exploit them.
However, this framing captures only part of the problem. Once an attacker has gained access to an enterprise environment they are trying to identify the most effective path toward a valuable target. That path often involves living off the land (LOTL): exploiting identities, privileges, trust relationships, misconfigurations, and legitimate administrative tools rather than exploitation of vulnerabilities.
This distinction has important implications for how organizations allocate defensive resources. The urgency surrounding vulnerability management is well deserved because externally exposed vulnerabilities remain one of the most reliable mechanisms for adversaries to establish an initial foothold. However, the importance assigned to external vulnerability remediation can sometimes carry over into internal environments without sufficient consideration of how attackers actually operate after compromise.
Inside a managed enterprise network, where endpoint detection and response provides visibility into many forms of software exploitation, attackers look for quieter and more reliable paths through identity abuse, excessive privileges, exposed secrets, and legitimate administrative pathways. Organizations should therefore evaluate internal vulnerabilities alongside these living-off-the-land exposures and prioritize remediation based on their relative contribution to realistic attack paths toward critical assets.
The Front Door: External Facing Vulnerabilities
The importance of external vulnerabilities remains clear. Verizon's 2025 Data Breach Investigations Report found that vulnerability exploitation accounted for 20% of breaches involving initial access, nearly matching credential abuse at 22% (https://www.verizon.com/business/resources/reports/dbir/). Mandiant's M-Trends 2025 report similarly identified exploits as the leading initial infection vector at 33% (https://cloud.google.com/resources/m-trends).
Once Inside: Living Off the Land
The internal attack landscape is different. Modern enterprises have invested heavily in endpoint detection and response capabilities that can identify many of the behaviors associated with software exploitation on managed systems, including suspicious process chains, memory manipulation, credential dumping, and abnormal privilege escalation activity. As a result, sophisticated attackers often prefer lower-visibility methods of progressing through an environment.
These techniques are commonly described as living off the land (LOTL). Rather than repeatedly exploiting software vulnerabilities, attackers use compromised identities, excessive privileges, legitimate remote administration tools, existing trust relationships, exposed secrets, and configuration weaknesses. CISA and its international partners recognize LOTL techniques as difficult to detect because they blend with normal administrative activity (https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques).
Evidence from threat intelligence and incident response indicates that these identity and administration-based techniques are central to post-compromise activity. MITRE ATT&CK identifies valid accounts and remote services such as RDP, SMB, SSH, and WinRM as core techniques for lateral movement (https://attack.mitre.org/techniques/T1021/ and https://attack.mitre.org/techniques/T1078/). Mandiant's M-Trends 2025 report notes that improperly secured identities often provide attackers with the path of least resistance for privilege escalation (https://cloud.google.com/resources/m-trends). Red Canary's analysis of more than 110,000 confirmed threats identified PowerShell, Windows Command Shell, WMI, and cloud accounts among the most frequently observed attacker techniques, all of which are commonly used to operate through legitimate administrative pathways (https://redcanary.com/threat-detection-report/techniques/).
Frontier AI Is Going to Live Off the Land
The implications for frontier AI cybersecurity are significant. Much of the public discussion assumes AI's primary offensive advantage will be finding more vulnerabilities and creating better exploits. Yet the same capabilities that make AI effective at vulnerability discovery—large-scale analysis, pattern recognition, reasoning over complex information, and automation—are equally applicable to understanding enterprise attack paths.
An advanced AI agent operating inside a network can map identity relationships, analyze permissions, identify exposed secrets, evaluate trust boundaries, and determine which combination of weaknesses provides the highest probability of reaching a sensitive asset. Some of the first public evidence of AI-enabled offensive operations suggests this capability is already emerging. In 2025, Anthropic reported observing AI-assisted cyber operations involving credential harvesting, internal reconnaissance, certificate extraction, access testing across systems, privilege mapping, and support for lateral movement (https://www.anthropic.com/news/disrupting-AI-espionage). Anthropic's subsequent 2026 analysis of malicious AI use found that a measurable subset of adversarial cyber activity involved AI supporting lateral movement and post-compromise operations (https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack).
Implication: Don't Ignore LOTL Exposures
This has important implications for security investment. Vulnerability management will remain a foundational cybersecurity capability, especially for externally reachable assets. However, organizations should evaluate whether the effort devoted to reducing large volumes of lower-risk internal vulnerabilities is appropriately balanced against addressing identity exposures, excessive privilege, weak service account hygiene, unnecessary administrative pathways, poor segmentation, and other conditions that create practical attack paths.
A mature exposure management strategy should consider not only the existence of individual weaknesses but also how those weaknesses can be combined by an intelligent adversary. In the age of frontier AI, security will increasingly depend on understanding the full set of paths that connect an initial compromise to an organization's most sensitive systems.