Can AI Help Black Lotus Labs Win the Cyber Arms Race?

Can AI Help Black Lotus Labs Win the Cyber Arms Race?

Vladislav Zaimov is a seasoned telecommunications specialist who has spent his career securing complex enterprise networks and managing risks within vulnerable infrastructures. In this discussion, he explores the escalating arms race between cybercriminals and defenders, focusing on how sophisticated threat intelligence and global network visibility are becoming the primary lines of defense. We examine the shift from manual security monitoring to AI-enhanced operations, the diverse motivations behind modern cyberattacks, and the strategic partnerships shaping the future of managed detection and response.

How are attackers evolving their methods through the use of artificial intelligence, and what impact does this have on the speed of security breaches?

Attackers are definitely harnessing AI to enhance the speed and sophistication of their strikes, creating a landscape where traditional defenses can easily be overwhelmed by automated tools. We are currently seeing teams track about 2.3 million threats every single day, a staggering volume that illustrates the sheer scale of the automated offensive being launched against global enterprises. This technology allows hackers to accelerate their operations significantly, making breaches happen faster and with a level of precision that was previously impossible to achieve manually. It is a relentless and evolving environment where the speed of the computer has become the new baseline for every single engagement between adversaries and defenders.

In a landscape where data is overwhelming, how can security teams leverage agentic capabilities to manage the millions of threats detected every day?

Transitioning to agentic security operation center capabilities is the only viable way to manage the massive influx of alerts that modern networks generate without burning out human staff. Our defense systems are currently processing roughly 200 billion NetFlow sessions and DNS queries every day, a monumental task that would be physically impossible for a single analyst or even a large human team to handle. By using AI agents to parse through this data at the speed of computers, we can filter out the noise and push only the highest-priority threats to human analysts for deeper investigation. This partnership between human and machine intelligence allows us to operate at a scale where we can detect millions of threats automatically while ensuring our best analysts focus their attention on the most critical and complex anomalies.

What role does a global IP backbone play in uncovering the infrastructure of cybercriminals, and how does this unique perspective help in shutting down their activity?

Having direct visibility into a global IP backbone provides a unique vantage point that most standard service providers simply cannot match in their security offerings. By leveraging the global telemetry that occurs across this backbone, we are able to understand the underlying networks of our adversaries and discover their specific points of presence located all around the world. This granular visibility allows us to take proactive measures to block criminal activity at the source before it even reaches a customer’s internal environment. Since the inception of specialized threat labs in 2019, we have taken action with help from law enforcement and other service providers to shut down the infrastructure entirely, effectively dismantling the very tools that these actors rely on for their operations.

Beyond financial gain, what are the diverse motivations driving modern threat actors, and why are we seeing an increase in attacks on edge devices?

While financial gain through ransomware remains a powerful driver, we are seeing a shift toward information stealing and the trading of sensitive data within underground ecosystems. Some actors, such as the group behind the “Kimwolf” DDoS attacks that took down gaming sites and internet infrastructure, appear to be motivated by clout and social status within the hacking community. We are also noticing a significant increase in attacks targeting edge devices like VPN gateways, mail servers, and firewalls because they serve as the perfect entry points into an enterprise’s network. One particularly concerning trend involves Android-based malware that infects mobile devices, giving threat actors a persistent point of presence that follows the device wherever it goes, regardless of the physical location of the user.

How does integrating managed detection with extensive network telemetry change the way enterprises respond to sophisticated attacks?

Integrating managed detection and response with software from industry leaders like Palo Alto Networks allows us to consolidate telemetry from across a customer’s entire environment, including logs, server information, and endpoints. By pumping specialized threat intelligence directly into this integrated solution, we enrich the alerts that analysts see, providing them with much better context for faster detection and response. This collaborative approach means that the data we gather from our global network is actively used to enhance the security posture of every connected enterprise rather than being siloed. It creates a much more holistic defense mechanism that can adapt to sophisticated threats in real-time by combining internal logs with global intelligence.

What makes nation-state attacks particularly dangerous for long-term network integrity, especially when they utilize zero-day vulnerabilities?

Nation-state actors often play a much longer and more patient game, frequently utilizing “zero-day” attacks to exploit software vulnerabilities that have no known fix or patch. Their goal isn’t always a quick payout or a loud ransom note, but rather to gain a stealthy foothold in a network where they can remain undetected for years to harvest information. This type of long-term spying is incredibly dangerous because a corporation may have no idea their network integrity has been compromised until it is far too late. The deep resources of these actors mean that defenders must be even more vigilant and use AI to identify the subtle, non-obvious signs of a persistent and silent presence within their critical infrastructure.

What is your forecast for the future of AI-driven network security?

My forecast for the future of network security is a shift toward fully autonomous, self-healing systems where AI handles the majority of tactical defense decisions without human intervention. As threat actors continue to automate their strikes, we will see our defense telemetry grow well beyond 200 billion daily sessions, requiring even more sophisticated agentic SOC capabilities. We will likely reach a point where the speed of detection and the subsequent blocking of a point of presence occur simultaneously, reducing the window of vulnerability to near zero. Ultimately, the survival of enterprise networks will depend on how effectively we can integrate human strategic intelligence with the massive scale of AI to counter an increasingly automated global threat landscape.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later