Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How Hackers are Using A.I. in 2026
Quick Take
On this milestone 200th episode of “Compliance Unfiltered,” The CU Guys delve into the evolving landscape of cybersecurity, focusing on how AI is being leveraged by both defenders and attackers. They explore the dual nature of AI, highlighting its potential to enhance security measures while also lowering the barriers for cybercriminals. From AI-generated malware to sophisticated social engineering tactics, this episode provides a comprehensive look at the current arms race in cybersecurity. Join Todd and Adam as they discuss the implications of these advancements and the importance of staying vigilant in an ever-changing digital world.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the oregano to your compliance bolognese Mr. Adam Goslin. How the heck are you, sir?
I am doing just fantabulous today. How about yourself, Todd?
I can’t complain sir before we start it is a momentous occasion in fact that’s correct it is episode 200 of compliance unfiltered I want to take want to take this opportunity to say thank you thank you to you Adam for hanging out with me for 200 episodes and more importantly thank you to the listener for for sticking with us and hanging out for all of your compliance needs as always we want to hear what you have to say so give us a shout let us know your feedback your input on topics that you want to hear about drop us a line [email protected]. Adam 200 episodes
Yeah, pretty cool. Neither of us have stabbed each other in the eyeball yet, so that’s a good thing. Somehow, the listeners have somehow hung with us and hung on for the 200th. I’d echo what you said. I mean, it’s fun to get to this point.
Honestly, we have to go do some digging and some research, but I’m not sure how many compliance-related pods have 200 episodes. So I think it’s fair to say we’re in a relatively elite group, if you will, but no, it’s been fun doing what we do. It’s fun to be able to bring data, information, topics, and discussions to folks in the compliance space. Hopefully, they’ve enjoyed the ride as much as we have, but hey, we’ll keep cracking. You and I were talking a little bit ago, we’ll do something a little more spectacular for episodes like 250 or something, as we get to that point. It’s been fun, been a good ride, but I’d also echo the notion, for the folks that are listening, do us a favor, honestly, what do you want to hear about? Did you hear about something cool, some new topic in the security or compliance space that you want to know more about, something that, in your retrospective, you think that we haven’t quite covered in its entirety, something else that we could hit? Follow me, give us the ideas. We love receiving the feedback and the input, always looking for neat new stuff to chat about, so pretty cool.
Absolutely. Well, today we’re going to chat about, you know, a hot topic, I would say, and that’s specifically how hackers are using AI in 2026.
So there is a lot of talk of AI being used for good, but at a high level, how is AI helping the bad actors out of it?
Well, I mean, with any technology, as it goes from its infancy and starts to blossom, if you will, it has the capability for being used to help those which are protecting organizations or that are outsourcing security-related functions to companies, things along those lines. And so, for the good guys, there are certainly added benefits to the notion of AI, but most certainly, there’s no question that the bad actors out there, they similarly, it’s almost like getting into an arms race, where they’re able to use that same technology for evil.
And taking advantage of capabilities for increased speed, automation, more advanced attacks, things along those lines. So, we’ll get into a number of those topics today, but now it’s being used on both sides of the fence, and it very much feels like an arms race unfolding, as we speak, if you will.
No, no, most definitely. Now, for many cybersecurity professionals, the best offense is a great defense. But how is AI lowering barriers to entry for the bad guys?
Well, you know, for the bad guys, you know, they’re developing, you know, they’re developing tools. It used to be that, you know, you have that or whatever. Let’s say we go back 10 years, right? You know, you had to have a certain level of capability, level of skill, things along those lines that, you know, that would be, you know, that would be happening.
And, you know, the reality is, is that with the use of the AI tools, and, you know, some folks have, you know, kind of branded the, you know, the underground AI tools as hack GPT, you know, type of a thing, you know, you know, and whatnot, but they’ve got tooling that they’re building, that they have the capability to go ahead and leverage that will kind of make up for the lack of knowledge, you know, that, you know, that the bad actor needs to have in order to do what they do. They’re not needing this entire symposium of information and data and tooling and capability and knowledge and experience that they go bring in. Instead, it’s almost like they’re, you know, they’re steering, you know, if you will, you know, steering the tooling, etc. So, you know, I don’t need to know how to, you know, how to build an engine, but I sure as hell can get behind the driver’s seat and do some damage, you know what I mean? And so it’s really, you know, some of these are being sold off as subscription services, you know, really allowing individuals to, you know, with minimal technical knowledge to launch sophisticated attacks. So it’s, you know, it’s kind of changing the landscape, if you will.
So Adam, what are the impacts on the malware landscape?
Well, you know, the hackers are being able to use AI to basically generate, you know, malware that can, you know, morph itself or modify itself, you know, kind of constantly changing the code behavior, code and behavior to evade any of the signature based detection mechanisms by the kind of traditional anti-malware programs. So, you know, one of the, you know, it was kind of like that was the arms race of old, right?
How many times could they, you know, how many times could they change the, you could slightly change the attack vector or the code of the, you know, of the malware so that it would, you know, not get caught by whatever filters that the anti-malware, you know, programs were employing to identify that particular chunk of code. But when you’ve got, you know, AI basically being able to go in and, you know, morph the malware, you know, stream it up against 500,000, 10,000 targets, come back, morph it again, ship it back out against another 10,000, etc. I mean, it’s almost like they would have the capability to, they would have the capability to morph it faster than signature based, you know, systems would be able to keep up. You know, so certainly that’s a, you know, that’s an arena that’s going to get, that’s going to get real interesting as we watch the, watch the old arms race, you know, kind of unfold between the good guys and the bad guys.
No doubt. How is it helping them identify vulnerabilities or vulnerable systems?
Sure. Actually, there was a recent vulnerability. I think we were talking about it on the last security, a quarterly security reminder pod that we did, where it was an old vulnerability from five years ago or something, that the bad guys were resurfacing because they just decided to go back to one of these old vulnerabilities and say, hey, what systems are out there that are still vulnerable to this thing? Well, back in the day, it used to be a lot of manual work to go try to do that scouring for these systems, et cetera.
Well, now they can just go ahead and deploy AI agents to scan networks, code bases, et cetera, for basically in an automated fashion, being on the hunt for misconfigurations, zero day vulnerabilities on devices and doing so at the speed of the machines and tooling that they’ve got. There are some AI tools that have shown some success in autonomously developing functional exploit codes for known vulnerabilities. They’re not only going to be able to go out, seek out vulnerable systems, but also use the AI to be able to generate tooling that they can go in and take advantage of when they’re planning out their attacks. Yeah, it’s going to get interesting.
It sounds that way. What about enhancements with automation?
Well, you know, I, I, I’ve, I’ve told this story before, uh, about, and God, this was, this was two decades ago, um, where. Attackers had, you know, we’re, we’re, we’re hitting a system that I literally was staring at the screen of, you know, type of a thing. It was, uh, it was actually before, uh, before I, um, had to get that organization through PCI compliance. And we were literally staring at, staring at the screen and watching, um, you know, they’d found an exploit on the system. They, you know, were attempting to run a script, uh, you know, type of a thing using automation where, you know, the first call in was basically doing a, you know, a live host check, you know, we had to go to sleep 30 seconds later. Another, another call would come in, uh, and it was trying to do probing around what type of a box or device was it that it had, you know, it had reached. And it had all of these kind of escalating abilities or capabilities that, but it was all script based and the, the only thing that saved that particular organization is that the code that the attackers used for some reason ended up puking at a certain point in the game. So their script literally died right in the middle, um, you know, of, uh, of attempting to do, um, identification, uh, you know, identification of the assets, you know, and whatnot.
So, and that was two decades ago, you know, um, you get, you fast forward to today and, you know, the, the, the more advanced uses, uh, you know, of the, of AI. Can you involve fully automated AI agents that, you know, basically, you know, behave as a, you know, behave as a master master attacker, uh, you know, type of a thing and conducting, you know, off on their own, conducting research, identifying targets, bypassing security controls, um, multi-step multi-stage attacks with really minimal human, human oversight, the, the, the most impressive part about that capability is where the script was written, you know, the script that I saw two decades ago, that was, that was just a straight up script where if anything puked along the way, then the script was screwed, uh, where with these AI agent-based attacks, uh, I mean, they’ll have the capability to, they’re not just going to puke out because they run into a roadblock. They’re just going to keep going with different things. Learn, you know, learn from those, those attacks. If it wasn’t successful, you know, what do I need to change, et cetera? So there’s going to be, you know, a continuous evolution, but it’s really going to streamline the, the, the bad actors capability for, uh, for going in and doing, um, you know, doing automated, you know, attacks on organizations. It’s going to get, uh, it’s, it’s, it’s really going to be very entertaining to watch this unfold, uh, as they, you know, kind of hard, truly harness that power.
entertaining is certainly one way to put it. How is the social engineering landscape changing?
Well, I mean, with social engineering, back in the day, a lot of it was very manually intensive to go in and set up the scenarios. The reality is with the advent of AI, the attackers have the ability to make social engineering attacks unbelievably realistic.
You know, we can create, you know, do things like automatically create, you know, highly convincing phishing emails, you know, scams, scripts, deep fakes. You know, we’ve talked previously about the ability to, you know, kind of ghost out your number and it looks like you’re calling from, you know, fill in the blank number. We’ve also got now the capability for deep fakes, for voices to be able to be leveraged. So imagine that, you know, we go in, we use the AI to be able to, you know, ghost out the phone number of the CEO. We also have all sorts of, you know, video online of the CEO doing talks, blah, blah, blah, blah, blah, blah, where they can use that to go ahead and fake out the voice, you know, et cetera. And, you know, as it’s still not perfect, right? But as it gets better and better and better, we’re going to hit a point where it’s going to be extremely challenging to distinguish between, you know, some form of a, some form of a deep fake social engineering attack and reality. It’s going to be progressively more difficult to be able to tell the difference, you know, and so traditional, traditional defenses, human, you know, the capability for humans to be able to tell, you know, whether it’s, you know, whether it’s BS or reality is going to get progressively less effective as the bad guys continue to kind of roll out that notion of, you know, hyper-realistic social engineering attacks.
Now, for a little story time, you told me about a job you had doing targeting like early in your career. How is that same philosophy being used by bad actors?
Yeah, so to explain to the listeners, but a long, long time ago, and I’m far, far away, my first job out of college was working for an organization that had, it was doing sampling, where they would send out samples to consumers. And the way that they did that was through kind of targeting various zip codes. And what it was is that the organization was basically developing bags that would go around newspapers so that when the newspapers were delivered, they would have a sample on that bag that the newspaper was in. And they would use various aspects about the zip code, the street, the area that these folks were in that were receiving the newspaper so that they could hit a certain profile with a high degree of certainty to make the sampling program more effective.
Well, so fast forward, I don’t know, probably about three-ish decades ago, into the future, as the bad guys are using AI, you think about it, right? Like, what is it that they’re trying to target? Like, you’ve got the, we’ll call it the, whatever, the Nigerian Prince scam, where, hey, just send me $5,000 for shipping and handling, and I’m going to go ahead and grant you $50 million type of a thing. That was just a blind shot back in the day. Well, in this AI world, I can use AI to go in, look at directed victims. What’s their financial worth? How many assets do they have? What’s their relative position within an organization? Whatever it is that will allow them to maximize their return on investment. And so making sure that they can kind of appropriately target, not only target the right people, right? So I have the best chance of a potential success period, but also allows them to ratchet up and down depending on the circumstance of the individual that they’re going after. Well, for person number one, hey, we should be going after $5,000, where for person number two, maybe we should just be targeting 500 bucks type of a deal, because that way they can make these scenarios realistic, but also target it based on the parameters that they see in that targeted individual. It’s basically going to mean that they can optimize their attacks on folks as they’re going about doing it. That is certainly going to be actually really fascinating to see how those capabilities of parameters around individuals are used both for good and for bad as things unfold. It almost makes you sit there and you’re wishing, oh gosh, I really wish that I had done everything humanly possible not to get as much crap about myself out on the internet as I could, because I think for some folks, it’s definitely going to come back to haunt them, that’s for sure.
I do not doubt that at all. Parting shots and thoughts for the folks this week, Adam.
Well, with any type of technology, there’s always good, there’s always bad that comes along with it. This lovely world of AI in particular, it’s definitely arena where we have a lot of opportunity on both sides of that fence. And my hope is, if you will, Godspeed to the good guys.
Stay ahead of those bad actors because I think there’s a very interesting arms race that’s in the process of unfolding as we speak. And we just need to picture that the right side wins, if you will. I think there’s going to be wins and losses on both sides of that tally sheet as this all unfolds, but most certainly, a much higher level of vigilance is going to be needed as we forge forward down this path.
No doubt. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Gosling. Hope we helped to get you fired up to make your compliance suck less.
