AI-driven cyberattacks now move from breach to exfiltration in just 72 minutes, yet most security programs still operate on human timelines. Sean Martin examines what the latest breach data, vendor consolidation moves, and industry messaging are actually telling CISOs β through three lenses that connect the dots others miss.
Attackers are moving in 72 minutes. One CISO has already eliminated the entire SOC team. And the industry is spending a quarter of a trillion dollars while struggling to define what "resilience" even means.
In this edition of Lens Four, Sean Martin looks at the cybersecurity landscape through three lenses β programs, innovation, and messaging β to connect the signals that matter.
π In this episode:
Sean's Take:
When attackers operate in minutes and defenders plan in quarters, the gap isn't technology β it's assumptions. The organizations closing the 72-minute gap aren't hiring faster. They're rethinking what humans are for and what machines should own.
Catch the full companion article on Lens Four at seanmartin.com for the complete three-lens analysis with all references and data sources.
For CISOs and security leaders: Can your program detect, investigate, and contain a threat in 72 minutes β or are you still measuring in days?
For vendors and product teams: Is your platform solving the operational problem CISOs have today, or selling a vision their program can't execute on?
For marketing and go-to-market teams: Are you connecting your messaging to measurable outcomes β or hiding behind buzzwords like "resilience" and "platform"?
π Read the full Lens Four analysis on seanmartin.com: https://www.seanmartin.com/lens-four/72-minute-gap-breaches-vendors-messaging
π¬ Watch the companion video summary β "Why Hackers Beat Your Security in Just 72 Minutes": https://youtu.be/EjsADm7faJ0
π§ Listen to the Redefining CyberSecurity Podcast conversation with Richard Stiennon on SOC automation: https://redefiningcybersecuritypodcast.com/episodes/soc-automation-and-the-ai-driven-future-of-cybersecurity-defense-a-redefining-cybersecurity-podcast-conversation-with-richard-stiennon-chief-research-analyst-of-it-harvest
π¬ Watch the video version of the Richard Stiennon conversation: https://youtu.be/si_fS4H-d3w
π Subscribe to the Future of Cybersecurity newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity
This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.
Enjoy, think, share with others, and subscribe to Lens Four on seanmartin.com and "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity
Sincerely, Sean Martin and TAPE9
Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazineβwhich he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.β’οΈ
Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location
To learn more about Sean, visit his personal website.
π Keywords
72-minute gap, ai-driven cyberattacks, soc automation, unit 42, incident response, identity-driven attacks, credential theft, iam misconfigurations, cisa workforce, agentic ai, palo alto networks, crowdstrike, google wiz acquisition, cybersecurity spending, platform consolidation, ai security vendors, it-harvest, richard stiennon, gartner cybersecurity trends 2026, forrester predictions, clawjacked, enterprise management associates, board-ciso communication, cybersecurity resilience, managed security services, cyber insurance, redefining cybersecurity podcast, lens four, sean martin, tape9
The 72-Minute Gap: What the Breaches, the Vendors, and the Messaging Are Actually Telling Us
A Lens Four Blog By Sean Martin
I look at the intersection of business, technology, and messaging regularly through three lenses: how organizations are running their operations and security programs, how vendors and innovations are reshaping the market, and how language influences the decisions that executives and practitioners actually make. Taken together, these three angles reveal where the real gaps β and the real opportunities β live. This time, the focus is cybersecurity β and the signals are hard to ignore.
How Fast Are AI-Driven Cyberattacks β and Can Security Programs Keep Up?
The short answer: attackers are operating in minutes, and most defenders are not. AI-driven cyberattacks now move from initial access to data exfiltration in as little as 72 minutes β a four-times acceleration over the prior year, according to the Unit 42 2026 Global Incident Response Report. Meanwhile, only six percent of organizations have fully deployed agentic AI in their security operations, even though ninety-two percent say AI helps their teams review more events. Reviewing events and responding at machine speed are fundamentally different capabilities. That gap is where breaches live.
February 2026 proved it. Japan Airlines disclosed unauthorized access to customer data spanning back to July 2024. Wynn Resorts lost government-issued IDs to ransomware. IDMerit β a company trusted to verify identities β leaked one billion records. The University of Mississippi Medical Center had to close clinics and cancel procedures. Substack, Flicker, Crunchbase, and Malaysia Airlines all reported incidents in the same month.
The thread connecting these was not sophisticated tradecraft. It was credential reuse, ungoverned third-party access, and peripheral systems nobody was monitoring β gaps in visibility, not gaps in technology. Unit 42's data makes it stark: sixty-five percent of initial access is now identity-driven, with social engineering, stolen credentials, and IAM misconfigurations as the primary entry points. Identity weaknesses played a role in nearly ninety percent of all incidents investigated.
And the institutional backstop is weakening. CISA has lost nearly thirty percent of its workforce since early 2025, dropping from about thirty-four hundred to twenty-four hundred staff. The CIRCIA final rule is delayed until May 2026. The Cybersecurity Information Sharing Act has expired. For every CISO trying to build a program that connects detection to response to business continuity, the question to the board is direct: if the federal infrastructure we relied on is diminished, what is our plan?
But here is what makes this moment different from the last decade of "we are losing the arms race" headlines: some organizations are closing the gap, and closing it fast. In a recent conversation on the Redefining CyberSecurity podcast, industry analyst Richard Stiennon β former Gartner VP and founder of IT-Harvest β described a CISO at a large enterprise who has already eliminated the entire SOC team. Not downsized. Eliminated. Replaced by AI-driven SOC automation that triages one hundred percent of alerts, builds cases, investigates threats, and executes containment β twenty-four seven, at machine speed, for a fraction of the cost of a human-staffed operation.
That is not a vendor pitch. It is an operational reality that changes the math for every security program still staffing a traditional SOC. If one organization can do it, the question for every other CISO becomes: what is the cost of not doing it? Stiennon framed it bluntly: if a ninety-day proof of concept costs fifteen thousand dollars and your SOC budget over that same period is a million dollars, every quarter you delay is a quarter of budget you do not get back.
The workforce gap is four-point-eight million globally. The breach tempo is accelerating. The programs that close the 72-minute gap will not do it by hiring faster. They will do it by rethinking what humans are for and what machines should own.
Which Vendor Moves Are Actually Changing the Market?
Platform consolidation is accelerating β but the most disruptive shift may not be coming from the platform vendors at all. Every major cybersecurity vendor is telling the same story: consolidate with us, reduce complexity, get unified visibility. The question CISOs should be asking is whether the platform solves the operational problem they have today or sells them a vision while their program struggles with basics.
Palo Alto Networks posted two-point-six billion dollars in Q2 revenue but missed Q3 earnings guidance, with shares dropping seven percent on integration costs from its twenty-five billion dollar CyberArk acquisition. CrowdStrike told a different story β net new ARR up seventy-three percent year over year, extending Falcon through a single-agent architecture with targeted acquisitions of Seraphic Security and SGNL that avoid heavy integration overhead.
The M&A signal is impossible to ignore. Google closed its thirty-two billion dollar Wiz acquisition with EU approval. Cyera raised four hundred million dollars at a nine billion dollar valuation. Vectra acquired Netography to unify observability and detection. The consolidation is real.
But underneath the platform wars, a different market is forming. IT-Harvest now tracks three hundred and seventy-five AI security vendors, almost all founded since 2022. Of those, fifty-eight are focused specifically on SOC automation β not SIEM vendors adding features, but purpose-built startups replacing the SOC staffing model entirely. Collectively, they have received over one-point-three billion dollars in funding. Many of these companies launched in early 2025 and reached one million dollars in ARR within months; by year-end, several had hit three million in ARR β for a product category that barely existed eighteen months earlier. Stiennon's assessment is direct: by this time next year, tracking "AI Security" as a standalone category will no longer make sense because every vendor will be an AI security vendor.
That is a market structure claim, not a feature claim. And it has implications beyond the SOC. Agentic AI β autonomous systems that make decisions without continuous human oversight β landed at the top of Gartner's 2026 cybersecurity trends. Forrester predicts it will cause a public breach this year. That prediction already has a proof point: a vulnerability dubbed "ClawJacked" in OpenClaw showed that a malicious website could hijack a locally running AI agent through its core gateway, no plugins or user error required.
Traditional identity and access management was never designed for machine actors that spin up dynamically, retain persistent credentials, and operate outside human governance lifecycles. Gartner data shows fifty-seven percent of employees use personal GenAI for work, with thirty-three percent uploading sensitive data to unsanctioned tools. Enterprise Management Associates calls this the "Triple Threat" β agentic risk, identity governance deficits, and a visibility gap most organizations have not begun to address.
The trust question is not abstract. As I explored with Stiennon on the podcast: if SOC automation tools are consuming your logs, your alerts, and your environment data, how much of that is flowing through public models? His answer is that most serious vendors are running models locally or using privacy-preserving approaches like federated learning with fully homomorphic encryption β keeping data encrypted even during processing. The privacy infrastructure is maturing alongside the automation capability. But the question every CISO should be asking their vendors right now is: where does my data go, and who else can see it?
How Is the Industry's Own Language Getting in the Way?
When buzzwords replace operational specificity, organizations lose the ability to measure what matters. "Resilience" is the dominant frame across every major analyst report and vendor keynote right now. The World Economic Forum's 2026 Global Cybersecurity Outlook is built around it. Gartner's trends emphasize it. Forrester's predictions assume it. The shift from "prevent everything" to "prepare for the inevitable" is healthy. But resilience without definition becomes a permission structure for mediocrity.
Resilience to what? Over what timeframe? If recovery takes three days and the attacker moved in 72 minutes, that is not resilience β it is damage control. Ask the patients in Mississippi whose procedures were canceled.
The bigger messaging problem may be the gap between what the technology can now do and how the industry talks about it. Stiennon posted his SOC automation research on LinkedIn and described the response: half the comments defaulted to "but you need human in the loop" and "what about controls" β the conservative security reflexes that have defined the profession for decades. That instinct is understandable. It is also increasingly expensive. AI model intelligence is growing by roughly ten-times per year. The industry's language β and its planning assumptions β are still linear. When the conversation is about whether to trust an autonomous system, and the system is doubling in capability every few months, the risk calculus changes faster than most governance frameworks can accommodate.
The board-CISO communication gap reinforces this. The IANS and Artico 2026 benchmark report found that ninety-five percent of CISOs deliver regular board updates, but only thirty percent of boards describe the relationship as strong and collaborative. Nearly half of directors say CISO reporting on evolving threats needs improvement. The World Economic Forum data reveals a parallel disconnect: CEOs rank fraud and phishing as their top concern while CISOs rank ransomware. When the board and the security leader are telling different stories about primary risk, the budget gets pulled in multiple directions without a clear operational anchor.
Meanwhile, the macro spending numbers keep climbing β two hundred and forty-four billion dollars globally in 2026, up thirteen-point-three percent β with managed services growing fastest at eleven-point-one percent because organizations cannot hire fast enough to run their own SOCs. Cyber insurers are demanding evidence of specific controls before issuing policies, becoming an unofficial compliance mechanism. And in an industry spending a quarter of a trillion dollars this year, the hardest question is not whether we have enough technology. It is whether we are honest about the gap between the story we tell and the outcomes we deliver.
The language matters because it shapes what gets funded and what gets measured. When a vendor says "platform," a buyer should hear: consolidate everything with me. When an analyst says "resilience," a CISO should ask: resilient enough to do what in the first 72 minutes? When a security leader says "we need human in the loop," press: for which decisions, at what speed, and at what cost? And when a policy maker says "back on mission," press: with what resources?
Seventy-two minutes. That is the story your program needs to tell. Can it?
If this analysis is useful β whether you are a CISO evaluating your program, a vendor shaping go-to-market strategy, a product marketer cutting through noise, or an analyst mapping the landscape β I would welcome the conversation. This is what I do: connect the dots between business operations, the technology that serves them, and the market forces that shape both. Reach out at seanmartin.com. And subscribe to Lens Four β where business, innovation, and messaging come into focus.