Autonomous security at AI speed
Designing rapid threat response for modern environments
I still remember the shock on my colleagues' faces back in late 2016 when the very first distributed denial-of-service (DDoS) attacks crossed the 1 Tbps threshold. The Mirai botnet — the culprit of this first ever 1 Tbps DDoS attack — had more than 145,000 IoT devices under its control to launch such devastating attacks.
Back then, numerous security analysts, engineers, and specialists worked globally around the clock to mitigate these attacks. But as sophisticated as the attacks were, they were executed by humans and mitigated by humans.
Now, we have crossed a threshold. Today’s threat landscape is not defined by sophistication alone but by overwhelming scale and autonomy. We have entered the era of the "hyper-volumetric" attack, where human intervention is not just slow — it is becoming more and more irrelevant.
Welcome to the 30+ Tbps era
The metrics for resilience have changed. The "record-breaking" attacks of years past are now the baseline for the present, as a recent DDoS threat report has shown:
The new monster: The Aisuru botnet has redefined scale, driving attacks to a peak of 29.7 Tbps.
The frequency: In Q4 2025, network-layer DDoS attacks were up by 202% year over year, according to one report.
The speed: Between 71% and 89% of these attacks last less than 10 minutes. If your resilience strategy relies on a generic alert waking up an engineer, the attack is already over (and the damage done) before they are even able to log in.
How can we respond to a continuous stream of large-scale attacks at machine speed?
This is where automation and AI come in. An AI agent does not need to manually log into the security information and event management (SIEM) or the network detection and response (NDR) tool to understand what is happening. It reads the data in real time, getting an understanding of the situation as it happens, and can now deploy valid countermeasures (e.g., adding firewall rules, blocking certain patterns of traffic or protocols). With that time boost in hand, the security operations center (SOC) has the time to engage with human intelligence and the power of access to bolster the defenses and verify the automated changes the AI agents implemented.
The shadow AI blind spot
Security isn't just about keeping bad traffic out, it's about keeping proprietary data in. The rapid adoption of AI tools by employees has created a massive governance gap.
The stat: According to IBM, 20% of breaches now involve "shadow AI," unsanctioned tools used by employees to speed up work.
The reality: Some 63% of breached organizations admit they still have no formal AI governance policy.
The fix: You cannot safeguard what you cannot see. Security now requires a full overview of your technology stack, including your SaaS tools, to know what you have to watch and monitor. Additionally, data loss prevention (DLP) tools specifically tuned to catch proprietary code or PII being pasted into public LLMs are needed to cover the shadow AI threat.
The time of having DLP on emails and browser usage is gone. With the evolution of AI browsers, API-anywhere, and agentic AI, the old DLP coverage model is not sufficient anymore. Centralized control should be a high priority. Technology leaders need to know what tool is getting what data — and what each tool can do with that data.
The deepfake defense
The social engineering game has moved from typos in emails to perfect replication of identity. Employees are getting invited into video calls with their top executives, ordering them to fulfill tasks such as transferring large amounts of money somewhere. And having those people in a video call is certainly, for almost anyone, a clear sign of a valid request from the top.
The shift: One in six breaches now involves AI-driven tactics; 35% of these use deepfake voice or video impersonation.
The damage: Phishing, which is often enhanced by AI, can result in average costs of $4.8 million per breach.
The action: Resilience training must evolve. It is no longer about spotting a fake email; it is about verifying identity through out-of-band communication channels.
We’re not just seeing more and more AI slop on social media. More worryingly, we’re also experiencing a huge increase in deepfake social engineering attacks. When a Ferrari executive got a call from their CEO, the only way they were able to mitigate what turned out to be an attack was by talking briefly about a book they shared thoughts on, and the attacker was of course clueless and couldn’t answer.
So, old-fashioned safe words should be embraced again, making sure the person you are actually talking to is actually the real person and not an AI deepfake-backed attacker. But implementing AI-powered email security also helps intercept phishing attempts rapidly at scale by analyzing hundreds of email attributes.
Ransomware: The pivot to extortion
After years of high-stake ransom payouts following successful ransomware attacks, we are finally seeing a decline in these numbers. But as the ransomware business model has broken down, it is forcing attackers to change tactics as well.
The decline: Only 36% of victims paid the ransom in Q3 2025, a historic low.
The pivot: To compensate, 76% of attacks now involve data theft rather than just encryption.
The lesson: Backups are no longer enough. True security and resilience require stopping the exfiltration of data. If they can't steal it, they can't extort you.
Going from a “standard” ransomware attack to a double or even triple extortion scheme was the logical evolution of these types of criminal activities. That, of course, has to have an influence on our defense capabilities.
While for a time, encrypting your data was measured as a sufficient enough compensating control, we should aim higher and never let any data leave our IT environment if there is no articulate and valid business reason for it. And with the rise of post-quantum computing on the horizon, the threat of “harvest now, decrypt later” is becoming even more worrisome. Think about the large volume of stolen-but-encrypted data that is sitting on someone's hard drive just waiting for enough computing power to decrypt it and use the raw data in the next attack phase.
Implementing autonomous security
Today, security is autonomous, or it is nothing. We must implement systems that can think and react fast, because the threats they face do so too. Those systems should be able to absorb large attacks and block threats — from DDoS attacks to deepfakes — without human intervention and without complicating solution management.
Cloudflare offers a full range of security capabilities that can help your team respond rapidly and autonomously to threats. For example, Cloudflare DDoS protection can mitigate even the largest, fastest-moving DDoS attacks. And Cloudflare Email Security offers AI-powered protection to automatically block sophisticated, AI-enhanced phishing threats. Since the Cloudflare connectivity cloud integrates all security solutions in a single platform, you can easily add autonomous capabilities without adding management complexity.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how AI is reshaping the business and security landscape, and gain a playbook for securing people, data, and applications in the ebook, Modernizing security for the AI era.
Author
Max Imbiel – @maximbiel
Field CISO, Cloudflare
Key takeaways
After reading this article you will be able to understand:
Why hyper-volumetric attacks outpace traditional mitigation tactics
The role of autonomous systems in stopping deepfakes and data theft
How to implement AI-driven defenses and enforce shadow AI governance